[Federal Register: December 28, 2000 (Volume 65, Number 250)] [Rules and Regulations] [Page 82661-82710] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28de00-33] [[pp. 82661-82710]] Standards for Privacy of Individually Identifiable Health Information [[Continued from page 82660]] [[Page 82661]] marketing purposes, absent any other authority to act for her husband. See Sec. 164.502(g) for more information regarding personal representatives. Comment: One commenter suggested that authorizations should be dated on the day they are signed. Response: We agree and have retained this requirement in the final rule. Additional Elements and Requirements for Authorizations Requested by the Covered Entity for Its Own Uses and Disclosures Comment: Some commenters suggested that we should not require different elements in authorizations initiated by the covered entity versus authorizations initiated by the individual. The commenters argued the standards were unnecessary, confusing, and burdensome. Response: The proposed authorization requirements are intended to ensure that an individual's authorization is truly voluntary. The additional elements required for authorizations initiated by the covered entity for its own uses and disclosures or for receipt of protected health information from other covered entities to carry out treatment, payment, or health care operations address concerns that are unique to these forms of authorization. (See above regarding requirements for research authorizations under Sec. 164.508(f).) First, when applicable, these authorizations must state that the covered entity will not condition treatment, payment, eligibility, or enrollment on the individual's providing authorization for the requested use or disclosure. This statement is not appropriate for authorizations initiated by the individual or another person who does not have the ability to withhold services if the individual does not authorize the use or disclosure. Second, the authorization must state that the individual may refuse to sign the authorization. This statement is intended to signal to the individual that the authorization is voluntary and may not be accurate if the authorization is obtained by a person other than a covered entity. Third, these authorizations must describe the purpose of the use or disclosure. We do not include this element in the core requirements because we understand there may be times when the individual does not want the covered entity maintaining the protected health information to know the purpose for the use or disclosure. For example, an individual contemplating litigation may not want the covered entity to know that litigation is the purpose of the disclosure. If the covered entity is initiating the authorization for its own use or disclosure, however, the individual and the covered entity maintaining the protected health information should have a mutual understanding of the purpose of the use or disclosure. Similarly, when a covered entity is requesting authorization for a disclosure by another covered entity that may have already obtained the individual's consent for the disclosure, the individual and covered entity that maintains the protected health information should be aware of this potential conflict. There are two additional requirements for authorizations requested by a covered entity for its own use or disclosure of protected health information it maintains. First, we require the covered entity to describe the individual's right to inspect or copy the protected health information to be used or disclosed. Individuals may want to review the information to be used or disclosed before signing the authorization and should be reminded of their ability to do so. This requirement is not appropriate for authorizations for a covered entity to receive protected health information from another covered entity, however, because the covered entity requesting the authorization is not the covered entity that maintains the protected health information and cannot, therefore, grant or describe the individual's right to access the information. If applicable, we also require a covered entity that requests an authorization for its own use or disclosure to state that the use or disclosure of the protected health information will result in direct or indirect remuneration to the entity. Individuals should be aware of any conflicts of interest or financial incentives on the part of the covered entity requesting the use or disclosure. These statements are not appropriate, however, in relation to uses and disclosures to carry out treatment, payment, and health care operations. Uses and disclosures for these purposes will often involve remuneration by the nature of the use or disclosure, not due to any conflict of interest on the part of either covered entity. We note that authorizations requested by a covered entity include authorizations requested by the covered entity's business associate on the covered entity's behalf. Authorizations requested by a business associate on the covered entity's behalf and that authorize the use or disclosure of protected health information by the covered entity or the business associate must meet the requirements in Sec. 164.508(d). Similarly, authorizations requested by a business associate on behalf of a covered entity to accomplish the disclosure of protected health information to that business associate or covered entity as described in Sec. 164.508(e) must meet the requirements of that provision. We disagree that these elements are unnecessary, confusing, or burdensome. We require them to ensure that the individual has a complete understanding of what he or she is agreeing to permit. Comment: Many commenters suggested we include in the regulation text a provision stated in the preamble that entities and their business partners must limit their uses and disclosures to the purpose(s) specified by the individual in the authorization. Response: We agree. In accordance with Sec. 164.508(a)(1), covered entities may only use or disclose protected health information consistent with the authorization. In accordance with Sec. 164.504(e)(2), a business associate may not make any uses or disclosures that the covered entity couldn't make. Comment: Some comments suggested that authorizations should identify the source and amount of financial gain, if any, resulting from the proposed disclosure. Others suggested that the proposed financial gain requirements were too burdensome and would decrease trust between patients and providers. Commenters recommended that the requirement either should be eliminated or should only require covered entities, when applicable, to state that direct and foreseeable financial gain to the covered entity will result. Others requested clarification of how the requirement for covered entities to disclose financial gain relates to the criminal penalties that accrue for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Some commenters advocated use of the term ``financial compensation'' rather than ``financial gain'' to avoid confusion with in-kind compensation rules. Some comments additionally suggested excluding marketing uses and disclosures from the requirements regarding financial gain. Response: We agree that clarification is warranted. In Sec. 164.508(d)(1)(iv) of the final rule, we require a covered entity that asks an individual to sign an authorization for the covered entity's use or disclosure of protected health information and that will receive direct [[Page 82662]] or indirect remuneration from a third party for the use or disclosure, to state that fact in the authorization. Remuneration from a third party includes payments such as a fixed price per disclosure, compensation for the costs of compiling and sending the information to be disclosed, and, with respect to marketing communications, a percentage of any sales generated by the marketing communication. For example, a device manufacturer may offer to pay a fixed price per name and address of individuals with a particular diagnosis, so that the device manufacturer can market its new device to people with the diagnosis. The device manufacturer may also offer the covered entity a percentage of the profits from any sales generated by the marketing materials sent. If a covered entity seeks an authorization to make such a disclosure, the authorization must state that the remuneration will occur. We believe individuals should have the opportunity to weigh the covered entity's potential conflict of interest when deciding to authorize the covered entity's use or disclosure of protected health information. We believe that the term ``remuneration from a third party'' clarifies our intent to describe a direct, tangible exchange, rather than the mere fact that parties intend to profit from their enterprises. Comment: One commenter suggested we require covered entities to request authorizations in a manner that does not in itself disclose sensitive information. Response: We agree that covered entities should make reasonable efforts to avoid unintentional disclosures. In Sec. 164.530(c)(2), we require covered entities to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. Comment: Some commenters requested clarification that covered entities are permitted to seek authorization at the time of enrollment or when individuals otherwise first interact with covered entities. Similarly, commenters requested clarification that covered entities may disclose protected health information created after the date the authorization was signed but prior to the expiration date of the authorization. These commenters were concerned that otherwise multiple authorizations would be required to accomplish a single purpose. Other comments suggested that we prohibit prospective authorizations (i.e., authorizations requested prior to the creation of the protected health information to be disclosed under the authorization) because it is not possible for individuals to make informed decisions about these authorizations. Response: We confirm that covered entities may act on authorizations signed in advance of the creation of the protected health information to be released. We note, however, that all of the required elements must be completed, including a description of the protected health information to be used or disclosed pursuant to the authorization. This description must identify the information in a specific and meaningful fashion so that the individual can make an informed decision as to whether to sign the authorization. Comment: Some commenters suggested that the final rule prohibit financial incentives, such as premium discounts, designed to encourage individuals to sign authorizations. Response: We do not prohibit or require financial incentives for authorizations. We have attempted to ensure that authorizations are entered into voluntary. If a covered entity chooses to offer a financial incentive for the individual to sign the authorization, and the individual chooses to accept it, they are free to do so. Section 164.510--Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object Section 164.510(a)--Use and Disclosure for Facility Directories Comment: Many hospital organizations opposed the NPRM's proposed opt-in approach to disclosure of directory information. These groups noted the preamble's statement that most patients welcomed the convenience of having their name, location, and general condition included in the patient directory. They said that requiring hospitals to obtain authorization before including patient information in the directory would cause harm to many patients' needs in an effort to serve the needs of the small number of patients who may not want their information to be included. Specifically, they argued that the proposed approach ultimately could have the effect of making it difficult or impossible for clergy, family members, and florists to locate patients for legitimate purposes. In making this argument, commenters pointed to problems that occurred after enactment of privacy legislation in the State of Maine in 1999. The legislation, which never was officially implemented, was interpreted by hospitals to prohibit disclosure of patient information to directories without written consent. As a result, when hospitals began complying with the law based on their interpretation, family members and clergy had difficulty locating patients in the hospital. Response: We share commenters' concern about the need to ensure that family members and clergy who have a legitimate need to locate patients are not prevented from doing so by excessively stringent restrictions on disclosure of protected health information to health care facilities' directories. Accordingly, the final rule takes an opt- out approach, stating that health care institutions may include the name, general condition, religious affiliation, and location of a patient within the facility in the facility's directory unless the patient explicitly objects to the use or disclosure of protected health information for directory purposes. To ensure that this opt-out can be exercised, the final rule requires facilities to notify individuals of their right not to be included in the directory and to give them the opportunity to opt out. The final rule indicates that the notice and opt-out may be oral. The final rule that allows health care facilities to disclose to clergy the four types of protected health information specified above without requiring the clergy to ask for the individual by name will allow the clergy to identify the members of his or her faith who are in the facility, thus ensuring that this rule will not significantly interfere with the exercise of religion, including the clergy's traditional religious mission to provide services to individuals. Comment: A small number of commenters recommended requiring written authorization for all disclosures of protected health information for directory purposes. These commenters believed that the NPRM's proposed provision allowing oral agreement would not provide sufficient privacy protection; that it did not sufficiently hold providers accountable for complying with patient wishes; and that it could create liability issues for providers. Response: The final rule does not require written authorization for disclosure of protected health information for directory purposes. We believe that requiring written authorization in these cases would increase substantially the administrative burdens and costs for covered health care providers and could lead to significant inconvenience for families and others attempting to locate individuals in health care institutions. Experience from the State of Maine suggests that requiring written authorization before patient information may be included in facility directories [[Page 82663]] can be disruptive for providers, families, clergy, and others. Comment: Domestic violence organizations raised concerns that including information about domestic violence victims in health care facilities' directories could result in further harm to victims. The NPRM addressed the issue of potential danger to patients by stating that when patients were incapacitated, covered health care providers could exercise discretion--consistent with good medical practice and prior expression of patient preference--regarding whether to disclose protected health information for directory purposes. Several commenters recommended prohibiting providers from including information in a health care facility's directory about incapacitated individuals when the provider reasonably believed that the injuries to the individual could have been caused by domestic violence. These groups believed that such a prohibition was necessary to prevent abusers from locating and causing further harm to domestic violence patients. Response: We share commenters' concerns about protecting victims of domestic violence from further abuse. We are also concerned, however, that imposing an affirmative duty on institutions not to disclose information any time injuries to the individual could have been the result of domestic violence would place too high a burden on health care facilities, essentially requiring them to rule out domestic violence as a potential cause of the injuries before disclosing to family members that an incapacitated person is in the institution. We do believe, however, that it is appropriate to require covered health care providers to consider whether including the individual's name and location in the directory could lead to serious harm. As in the preamble to the NPRM, in the preamble to the final rule, we encourage covered health care providers to consider several factors when deciding whether to include an incapacitated patient's information in a health care facility's directory. One of these factors is whether disclosing an individual's presence in the facility could reasonably cause harm or danger to the individual (for example, if it appeared that an unconscious patient had been abused and disclosing that the individual is in the facility could give the attacker sufficient information to seek out the person and repeat the abuse). Under the final rule, when the opportunity to object to uses and disclosures for a facility's directory cannot practicably be provided due to an individual's incapacity or an emergency treatment circumstance, covered health care providers may use or disclose some or all of the protected health information that the rule allows to be included in the directory, if the disclosure is: (1) consistent with the individual's prior expressed preference, if known to the covered health care provider; and (2) in the individual's best interest, as determined by the covered health care provider in the exercise of professional judgement. The rule allows covered health care providers making decisions about incapacitated patients to include some portions of the patient's information (such as name) but not other information (such as location in the facility) to protect patient interests. Section 164.510(b)--Uses and Disclosures for Involvement in the Individual's Care and Notification Purposes Comment: A number of comments supported the NPRM's proposed approach, which would have allowed covered entities to disclose protected health information to the individual's next of kin, family members, or other close personal friends when the individual verbally agreed to the disclosure. These commenters agreed that the presumption should favor disclosures to the next of kin, and they believed that health care providers should encourage individuals to share genetic information and information about transmittable diseases with family members at risk. Others agreed with the general approach but suggested the individual's agreement be noted in the medical record. These commenters also supported the NPRM's proposed reliance on good professional practices and ethics to determine when disclosures should be made to the next of kin when the individual's agreement could not practicably be obtained. A few commenters recommended that the individual's agreement be in writing for the protection of the covered entity and to facilitate the monitoring of compliance with the individual's wishes. These commenters were concerned that, absent the individual's written agreement, the covered entity would become embroiled in intra-family disputes concerning the disclosures. Others argued that the individual's authorization should be obtained for all disclosures, even to the next of kin. One commenter favored disclosures to family members and others unless the individual actively objected, as long as the disclosure was consistent with sound professional practice. Others believed that no agreement by the individual was necessary unless sensitive medical information would be disclosed or unless the health care provider was aware of the individual's prior objection. These commenters recommended that good professional practice and ethics determine when disclosures were appropriate and that disclosure should relate only to the individual's current treatment. A health care provider organization said that the ethical and legal obligations of the medical professional alone should control in this area, although it believed the proposed rule was generally consistent with these obligations. Response: The diversity of comments regarding the proposal on disclosures to family members, next of kin, and other persons, reflects a wide range of current practice and individual expectations. We believe that the NPRM struck the proper balance between the competing interests of individual privacy and the need that covered health care providers may have, in some cases, to have routine, informal conversations with an individual's family and friends regarding the individual's treatment. We do not agree with the comments stating that all such disclosures should be made only with consent or with the individual's written authorization. The rule does not prohibit obtaining the agreement of the individual in writing; however, we believe that imposing a requirement for consent or written authorization in all cases for disclosures to individuals involved in a person's care would be unduly burdensome for all parties. In the final rule, we clarify the circumstances in which such disclosures are permissible. The rule allows covered entities to disclose to family members, other relatives, close personal friends of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's care or payment related to the individual's health care. In addition, the final rule allows covered entities to use or disclose protected health information to notify, or assist in the notification of (including identifying or locating) a family member, a personal representative of the individual, or another person responsible for the care of the individual, of the individual's location, general condition, or death. The final rule includes separate provisions for situations in which the individual is present and for when the individual is not present at the time of disclosure. When the individual is present and can make his or her own decisions, a covered entity may disclose protected health information only if the covered entity: (1) Obtains the [[Page 82664]] individual's agreement to disclose to the third parties involved in the individual's care; (2) provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or (3) reasonably infers from the circumstances, based on the exercise of professional judgement, that the individual does not object to the disclosure. The final rule continues to permit disclosures in circumstances when the individual is not present or when the opportunity to agree or object to the use or disclosure cannot practicably be provided due to the individual's incapacity or an emergency circumstance. In such instances, covered entities may, in the exercise of professional judgement, determine whether the disclosure is in the individual's best interests and if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. As discussed in the preamble for this section, we do not intend to disrupt most covered entities' current practices with respect to informing family members and others with whom a patient has a close personal relationship about a patient's specific health condition when a patient is incapacitated due to a medical emergency and the family member or close personal friend comes to the covered entity to ask about the patient's condition. To the extent that disclosures to family members and others in these situations currently are allowed under state law and covered entities' own rules, Sec. 164.510(b) allows covered entities to continue making them in these situations, consistent with the exercise of professional judgement as to the patient's best interest. As indicated in the preamble above, this section is not intended to provide a loophole for avoiding the rule's other requirements, and it is not intended to allow disclosures to a broad range of individuals, such as journalists who may be curious about a celebrity's health status. Comments: A few comments supported the NPRM approach because it permitted the current practice of allowing someone other than the patient to pick up prescriptions at pharmacies. One commenter noted that this practice occurs with respect to 25-40% of the prescriptions dispensed by community retail pharmacies. These commenters strongly supported the proposal's reliance on the professional judgement of pharmacists in allowing others to pick up prescriptions for bedridden or otherwise incapacitated patients, noting that in most cases it would be impracticable to verify that the person was acting with the individual's permission. Two commenters requested that the rule specifically allow this practice. One comment opposed the practice of giving prescriptions to another person without the individual's authorization, because a prescription implicitly could disclose medical information about the individual. Response: As stated in the NPRM, we intended for this provision to authorize pharmacies to dispense prescriptions to family or friends who are sent by the individual to the pharmacy to pick up the prescription. We believe that stringent consent or verification requirements would place an unreasonable burden on numerous transactions. In addition, such requirements would be contrary to the expectations and preferences of all parties to these transactions. Although prescriptions are protected health information under the rule, we believe that the risk to individual privacy in allowing this practice to continue is minimal. We agree with the suggestion that the final rule should state explicitly that pharmacies have the authority to operate in this manner. Therefore, we have added a sentence to Sec. 164.510(b)(3) allowing covered entities to use professional judgement and experience with common practice to make reasonable inferences of an individual's best interest in allowing a person to act on the individual's behalf to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. In such situations, as when making disclosures of protected health information about an individual who is not present or is unable to agree to such disclosures, covered entities should disclose only information which directly relates to the person's involvement in the individual's current health care. Thus, when dispensing a prescription to a friend who is picking it up on the patient's behalf, the pharmacist should not disclose unrelated health information about medications that the patient has taken in the past which could prove embarrassing to the patient. Comment: We received a few comments that misunderstood the provision as addressing disclosures related to deceased individuals. Response: We understand that use of the term next of kin in this section may cause confusion. To promote clarity in the final rule, we eliminate the term ``next of kin,'' as well as the term's proposed definition. In the final rule, we address comments on next of kin and the deceased in the section on disclosure of protected health information about deceased individuals in Sec. 164.512(g). Comments: A number of commenters expressed concern for the interaction of the proposed section with state laws. Some of these comments interpreted the NPRM's use of the term next of kin as referring to individuals with health care power of attorney and thus they believed that the proposed rule's approach to next of kin was inappropriately informal and in conflict with state law. Others noted that some state laws did not allow health care information to be disclosed to family or friends without consent or other authorization. One commenter said that case law may be evolving toward imposing a more affirmative duty on health care practitioners to inform next of kin in a variety of circumstances. One commenter noted that state laws may not define clearly who is considered to be the next of kin. Response: The intent of this provision was not to interfere with or change current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of or make treatment decisions related to individuals. While persons with health care powers of attorney could have access to protected health information under the personal representatives provision (Sec. 164.502(g)), and covered entities may disclose to such persons under this provision, such disclosures do not give these individuals substantive authority to act for or on behalf of the individual with respect to health care decisions. State law requirements regarding health care powers of attorney continue to apply. The comments suggesting that state laws may not allow the disclosures otherwise permitted by this provision or, conversely, that they may impose a more affirmative duty, did not provide any specifics with which to judge the affect of such laws. In general, however, state laws that are more protective of an individual's privacy interests than the rule by prohibiting a disclosure of protected health information continue to apply. The rule's provisions regarding disclosure of protected health information to family or friends of the individual are permissive only, enabling covered entities to abide by more stringent state laws without violating our rules. Furthermore, if the state law creates an affirmative and binding legal obligation on the covered entity to make disclosures to family or other persons under specific circumstances, the final rule allows covered entities to comply [[Page 82665]] with these legal obligations. See Sec. 164.512(a). Comments: A number of commenters supported the proposal to limit disclosures to family or friends to the protected health information that is directly relevant to that person's involvement in the individual's health care. Some comments suggested that this standard apply to all disclosures to family or friends, even when the individual has agreed to or not objected to the disclosure. One commenter objected to the proposal, stating that it would be too difficult to administer. According to this comment, it is accepted practice for health care providers to communicate with family and friends about an individual's condition, regardless of whether the person is responsible for or otherwise involved in the individual's care. Other comments expressed concern for disclosures related to particular types of information. For example, two commenters recommended that psychotherapy notes not be disclosed without patient authorization. One commenter suggested that certain sensitive medical information associated with social stigma not be disclosed to family members or others without patient consent. Response: We agree with commenters who advocated limiting permissible disclosures to relatives and close personal friends to information consistent with a person's involvement in the individual's care. Under the final rule, we clarify the NPRM provision to state that covered entities may disclose protected health information to family members, relatives, or close personal friends of an individual or any other person identified by the individual, to the extent that the information directly relates to the person's involvement in the individual's current health care. It is not intended to allow disclosure of past medical history that is not relevant to the individual's current condition. In addition, as discussed above, we do not intend to disrupt covered entities' current practices with respect to disclosing specific information about a patient's condition to family members or others when the individual is incapacitated due to a medical emergency and the family member or other individual comes to the covered entity seeking specific information about the patient's condition. For example, this section allows a hospital to disclose to a family member the fact that a patient had a heart attack, and to provide updated information to the family member about the patient's progress and prognosis during his or her period of incapacity. We agree with the recommendation to require written authorization for a disclosure of psychotherapy notes to family, close personal friends, or others involved in the individual's care. As discussed below, the final rule allows disclosure of psychotherapy notes without authorization in a few limited circumstances; disclosure to individuals involved in a person's care is not among those circumstances. See Sec. 164.508 for a further discussion of the final rule's provisions regarding disclosure of psychotherapy notes. We do not agree, however, with the suggestion to treat some medical information as more sensitive than others. In most cases, individuals will have the opportunity to prohibit or limit such disclosures. For situations in which an individual is unable to do so, covered entities may, in the exercise of professional judgement, determine whether the disclosure is in the individual's best interests and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. Comment: One commenter suggested that this provision should allow disclosure of protected health information to the clergy and to the Red Cross. The commenter noted that clergy have ethical obligations to ensure confidentiality and that the Red Cross often notifies the next of kin regarding an individual's condition in certain circumstances. Another commenter recommended allowing disclosures to law enforcement for the purpose of contacting the next of kin of individuals who have been injured or killed. One commenter sought clarification that ``close personal friend'' was intended to include domestic partners and same- sex couples in committed relationships. Response: As discussed above, Sec. 164.510(a) allows covered health care providers to disclose to clergy protected health information from a health care facility's directory. Under Sec. 164.510(b), an individual may identify any person, including clergy, as involved in his or her care. This approach provides more flexibility than the proposed rule would have provided. As discussed in the preamble of the final rule, this provision allows disclosures to domestic partners and others in same-sex relationships when such individuals are involved in an individual's care or are the point of contact for notification in a disaster. We do not intend to change current practices with respect to involvement of others in an individual's treatment decisions; informal information- sharing among persons involved; or the sharing of protected health information during a disaster. As noted above, a power of attorney or other legal relationship to an individual is not necessary for these informal discussions about the individual for the purpose of assisting in or providing a service related to the individual's care. We agree with the comments noting that the Red Cross and other organizations may play an important role in locating and communicating with the family about individuals injured or killed in an accident or disaster situation. Therefore, the final rule includes new language, in Sec. 164.510(b)(4), which allows covered entities to use or disclose protected health information to a public or private entity authorized by law or its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities to notify, or assist in the notification of (including identifying or locating) a family member, an individual's personal representative, or another person responsible for the individual's care regarding the individual's location, general condition, or death. The Red Cross is an example of a private entity that may obtain protected health information pursuant to these provisions. We recognize the role of the Red Cross and similar organizations in disaster relief efforts, and we encourage cooperation with these entities in notification efforts and other means of assistance. Comment: One commenter recommended stating that individuals who are mentally retarded and unable to agree to disclosures under this provision do not, thereby, lose their access to further medical treatment. This commenter also proposed stating that mentally retarded individuals who are able to provide agreement have the right to control the disclosure of their protected health information. The commenter expressed concern that the parent, relative, or other person acting in loco parentis may not have the individual's best interest in mind in seeking or authorizing for the individual the disclosure of protected health information. Response: The final rule regulates only uses and disclosures of protected health information, not the delivery of health care. Under the final rule's section on personal representatives (Sec. 164.502(g)), a person with authority to make decisions about the health care of an individual, under applicable law, may make decisions about the protected health information of that individual, to the extent that the protected health information is relevant to such person's representation. [[Page 82666]] In the final rule, Sec. 164.510(b) may apply to permit disclosures to a person other than a personal representative. Under Sec. 164.510(b), when an individual is present and has the capacity to make his or her own decisions, a covered entity may disclose protected health information only if the covered entity: (1) Obtains the individual's agreement to disclose protected health information to the third parties involved in the individual's care; (2) provides the individual with an opportunity to object to such disclosure, and the individual does not express an objection; or (3) reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. These conditions apply to disclosure of protected health information about individuals with mental retardation as well as to disclosures about all other individuals. Thus we do not believe it is necessary to include in this section of the final rule any language specifically on persons with mental retardation. Comments: A few commenters recommended that disclosures made in good faith to the family or friends of the individual not be subject to sanctions by the Secretary, even if the covered entity had not fully complied with the requirements of this provision. One commenter believed that a fear of sanction would make covered entities overly cautious, such that they would not disclose protected health information to domestic partners or others not recognized by law as next of kin. Another commenter recommended that sanctions not be imposed if the covered entity has proper policies in place and has trained its staff appropriately. According to this commenter, the lack of documentation of disclosures in a particular case or medical record should not subject the entity to sanctions if the information was disclosed in good faith. Response: We generally agree with commenters regarding disclosure in good faith pursuant to this provision. As discussed above, the final rule expands the scope of individuals to whom covered entities may disclose protected health information pursuant to this section. In addition, we delete the term next of kin, to avoid the appearance of requiring any legal determination of a person's relationship in situations involving informal disclosures. Similarly, consistent with the informal nature of disclosures pursuant to this section, we do not require covered entities to document such disclosures. If a covered entity imposes its own documentation requirements and a particular covered health care provider does not follow the entity's documentation requirements, the disclosure is not a violation of this rule. Comments: The majority of comments on this provision were from individuals and organizations concerned about domestic violence. Most of these commenters wanted assurance that domestic violence would be a consideration in any disclosure to the spouse or relatives of an individual whom the covered entity suspected to be a victim of domestic violence or abuse. In particular, these commenters recommended that disclosures not be made to family members suspected of being the abuser if to do so would further endanger the individual. Commenters believed that this limitation was particularly important when the individual was unconscious or otherwise unable to object to the disclosures. Response: We agree with the comments that victims of domestic violence and other forms of abuse need special consideration in order to avoid further harm, and we provide for discretion of a covered entity to determine that protected health information not be disclosed pursuant to Sec. 164.510(b). Section 164.510(b) of the final rule, disclosures to family or friends involved in the individual's care, states that when an individual is unable to agree or object to the disclosure due to incapacity or another emergency situation, a covered entity must determine based on the exercise of professional judgment whether it is in the individual's best interest to disclose the information. As stated in the preamble, we intend for this exercise of professional judgment in the individual's best interest to account for the potential for harm to the individual in cases involving domestic violence. These circumstances are unique and are best decided by a covered entity, in the exercise of professional judgment, in each situation rather than by a blanket rule. Section 164.512--Uses and Disclosures for Which Consent, Authorization, or Opportunity to Agree or Object Is Not Required Section 164.512(a)--Uses and Disclosures Required by Law Comment: Numerous commenters addressed directly or by implication the question of whether the provision permitting uses and disclosures of protected health information if required by other law was necessary. Other commenters generally endorsed the need for such a provision. One such commenter approved of the provision as a needed fail-safe mechanism should the enumeration of permissible uses and disclosures of protected health information in the NPRM prove to be incomplete. Other commenters cited specific statutes which required access to protected health information, arguing that such a provision was necessary to ensure that these legally mandated disclosures would continue to be permitted. For example, some commenters argued for continued access to protected health information to investigate and remedy abuse and neglect as currently required by the Developmental Disabilities Assistance and Bill of Rights, 42 U.S.C. 6042, and the Protection and Advocacy for Mentally Ill Individuals Act, 42 U.S.C. 10801. Some comments urged deletion of the provision for uses and disclosures required by other law. This concern appeared to be based on a generalized concern that the provision fostered government intrusion into individual medical information. Finally, a number of commenters also urged that the required by law provision be deleted. These commenters argued that the proposed provision would have undermined the intent of the statute to preempt state laws which were less protective of individual privacy. As stated in these comments, the provision for uses and disclosures required by other law was ``broadly written and could apply to a variety of state laws that are contrary to the proposed rule and less protective of privacy. (Indeed, a law requiring disclosure is the least protective of privacy since it allows for no discretion.) The breadth of this provision greatly exceeds the exceptions to preemption contained in HIPAA.'' Response: We agree with the comments that proposed Sec. 164.510(n) was necessary to harmonize the rule with existing state and federal laws mandating uses and disclosures of protected health information. Therefore, in the final rule, the provision permitting uses and disclosures as required by other law is retained. To accommodate other reorganization of the final rule, this provision has been designated as Sec. 164.512(a). We do not agree with the comments expressing concern for increased governmental intrusion into individual privacy under this provision. The final rule does not create any new duty or obligation to disclose protected health information. Rather, it permits covered entities to use or disclose protected health information when they are required by law to do so. [[Page 82667]] We likewise disagree with the characterization of the proposed provision as inconsistent with or contrary to the preemption standards in the statute or Part 160 of the rule. As described in the NPRM, we intend this provision to preserve access to information considered important enough by state or federal authorities to require its disclosure by law. The importance of these required uses or disclosures is evidenced by the legislative or other public process necessary for the government to create a legally binding obligation on a covered entity. Furthermore, such required uses and disclosures arise in a myriad of other areas of law, ranging from topics addressing national security (uses and disclosures to obtain security clearances), to public health (reporting of communicable diseases), to law enforcement (disclosures of gun shot wounds). Required uses and disclosures also may address broad national concerns or particular regional or state concerns. It is not possible, or appropriate, for HHS to reassess the legitimacy of or the need for each of these mandates in each of their specialized contexts. In some cases where particular concerns have been raised by legal mandates in other laws, we allow disclosure as required by law, and we establish additional requirements to protect privacy (for example, informing the individual as required in Sec. 164.512(c)) when covered entities make a legally mandated disclosure. We also disagree with commenters who suggest that the approach in the final rule is contrary to the preemption provisions in HIPAA. HIPAA provides HHS with broad discretion in fashioning privacy protections. Recognizing the legitimacy of existing legal requirements is certainly within the Secretary's discretion. Additionally, given the variety of these laws, the varied contexts in which they arise, and their significance in ensuring that important public policies are achieved, we do not believe that Congress intended to preempt each such law unless HHS specifically recognized the law or purpose in the regulation. Comment: A number of commenters urged that the provision permitting uses and disclosures required by other law be amended by deleting the last sentence which stated: ``This paragraph does not apply to uses or disclosures that are covered by paragraphs (b) through (m) of this section.'' Some commenters sought deletion of this sentence to avoid any inadvertent preemption of mandatory reporting laws, and requested clarification of the effect on specific statutes. The majority of the commenters focused their concerns on the potential conflict between mandatory reporting laws to law enforcement and the limitations imposed by proposed Sec. 164.510(f), on uses and disclosures to law enforcement. For example, the comments raised concerns that mandatory reporting to law enforcement of injuries resulting from violent acts and abuse require the health care provider to initiate such reports to local law enforcement or other state agencies, while the NPRM would have allowed such reporting on victims of crimes only in response to specific law enforcement requests for information. Similarly, mandatory reports of violence-related injuries may implicate suspected perpetrators, as well as victims, and compliance with such laws could be blocked by the proposed requirement that disclosures about suspects was similarly limited to a response to law enforcement inquiries for the specific purpose of identifying the suspect. The NPRM also would have limited the type of protected health information that could have been disclosed about a suspect or fugitive. In general, commenters sought to resolve this overlap by removing the condition that the required-by-other-law provision applied only when no other national priority purpose addressed the particular use or disclosure. The suggested change would permit the covered entity to comply with legally mandated uses and disclosures as long as the relevant requirements of that law were met. Alternatively, other commenters suggested that the restrictions on disclosures to law enforcement be lifted to permit full compliance with laws requiring reporting for these purposes. Finally, some comments sought clarification of when a use or disclosure was ``covered by paragraphs (b) through (m).'' These commenters were confused as to whether a particular use or disclosure had to be specifically addressed by another provision of the rule or simply within the scope of the one of the national priority purposes specified by proposed paragraphs (b) through (m). Response: We agree with the commenters that the provision as proposed would have inadvertently interfered with many state and federal laws mandating the reporting to law enforcement or others of protected health information. In response to these comments, we have modified the final rule to clarify how this section interacts with the other provisions in the rule. Comment: A number of commenters sought expanded authority to use and disclosure protected health information when permitted by other law, not just when required by law. These comments specified a number of significant duties or potential societal benefits from disclosures currently permitted or authorized by law, and they expressed concern should these beneficial uses and disclosures no longer be allowed if not specifically recognized by the rule. For example, one commenter listed 25 disclosures of health records that are currently permitted, but not required, by state law. This commenter was concerned that many of these authorized uses and disclosures would not be covered by any of the national priority purposes specified in the NPRM, and, therefore, would not be a permissible use or disclosure under the rule. To preserve these important uses and disclosures, the comments recommended that provision be made for any use or disclosure which is authorized or permitted by other law. Response: We do not agree with the comments that seek general authority to use and disclose protected health information as permitted, but not required, by other law. The uses and disclosures permitted in the final rule reflect those purposes and circumstances which we believe are of sufficient national importance or relevance to the needs of the health care system to warrant the use or disclosure of protected health information in the absence of either the individual's express authorization or a legal duty to make such use or disclosure. In permitting specific uses and disclosures that are not required by law, we have considered the individual privacy interests at stake in each area and crafted conditions or limitations in each identified area as appropriate to balance the competing public purposes and individual privacy needs. A general rule authorizing any use or disclosure that is permitted, but not required, by other law would undermine the careful balancing in the final rule. In making this judgment, we have distinguished between laws that mandate uses or disclosures and laws that merely permit them. In the former case, jurisdictions have determined that public policy purposes cannot be achieved absent the use of certain protected health information, and we have chosen in general not to disturb their judgments. On the other hand, where jurisdictions have determined that certain protected health information is not necessary to achieve [[Page 82668]] a public policy purpose, and only have permitted its use or disclosure, we do not believe that those judgments reflect an interest in use or disclosure strong enough to override the Congressional goal of protecting privacy rights. Moreover, the comments failed to present any compelling circumstance to warrant such a general provision. Despite commenters' concerns to the contrary, most of the beneficial uses and disclosures that the commenters referenced to support a general provision were, in fact, uses or disclosures already permissible under the rule. For example, the general statutory authorities relied on by one state health agency to investigate disease outbreaks or to comply with health data-gathering guidelines for reporting to certain federal agencies are permissible disclosures to public health agencies. Finally, in the final rule, we add new provisions to Sec. 164.512 to address three examples raised by commenters of uses and disclosures that are authorized or permitted by law, but may not be required by law. First, commenters expressed concern for the states that provide for voluntary reporting to law enforcement or state protective services of domestic violence or of abuse, neglect or exploitation of the elderly or other vulnerable adults. As discussed below, a new section, Sec. 164.512(c), has been added to the final rule to specifically address uses and disclosures of protected health information in cases of abuse, neglect, or domestic violence. Second, commenters were concerned about state or federal laws that permitted coordination and cooperation with organizations or entities involved in cadaveric organ, eye, or tissue donation and transplantation. In the final rule, we add a new section, Sec. 164.512(h), to permit disclosures to facilitate such donation and transplantation functions. Third, a number of commenters expressed concern for uses and disclosure permitted by law in certain custodial settings, such as those involving correctional or detention facilities. In the final rule, we add a new subsection to the section on uses and disclosures for specialized government functions, Sec. 164.512(k), to identify custodial settings in which special rules are necessary and to specify the additional uses and disclosures of the protected health information of inmates or detainees which are necessary in such facilities. Comment: A number of commenters asked for clarification of the term ``law'' and the phrase ``required by law'' for purposes of the provision permitting uses or disclosures that are required by law. Some of the commenters noted that ``state law'' was a defined term in Part 160 of the NPRM and that the terms should be used consistently. Other commenters were concerned about differentiating between laws that required a use or disclosure and those that merely authorize or permit a use or disclosure. A number of commenters recommended that the final rule include a definitive list of the laws that mandate a use or disclosure of protected health information. Response: In the final rule, we clarify that, consistent with the ``state law'' definition in Sec. 160.202, ``law'' is intended to be read broadly to include the full array of binding legal authority, such as constitutions, statutes, rules, regulations, common law, or other governmental actions having the effect of law. However, for the purposes of Sec. 164.512(a), law is not limited to state action; rather, it encompasses federal, state or local actions with legally binding effect, as well as those by territorial and tribal governments. For more detail on the meaning of ``required by law,'' see Sec. 164.501. Only where the law imposes a duty on the health care professional to report would the disclosure be considered to be required by law. The final rule does not include a definitive list of the laws that contain legal mandates for disclosures of protected health information. In light of the breadth of the term ``law'' and number of federal, state, local, and territorial or tribal authorities that may engage in the promulgation of binding legal authority, it would be impossible to compile and maintain such a list. Covered entities have an independent duty to be aware of their legal obligations to federal, state, local and territorial or tribal authorities. The rule's approach is simply intended to avoid any obstruction to the health plan or covered health care provider's ability to comply with its existing legal obligations. Comment: A number of commenters recommended that the rule compel covered entities to use or disclose protected health information as required by law. They expressed concern that covered entities could refuse or delay compliance with legally mandated disclosures by misplaced reliance on a rule that permits, but does not require, a use or disclosure required by other law. Response: We do not agree that the final rule should require covered entities to comply with uses or disclosures of protected health information mandated by law. The purpose of this rule is to protect privacy, and to allow those disclosures consistent with sound public policy. Consistent with this purpose, we mandate disclosure only to the individual who is the subject of the information, and for purposes of enforcing the rule. Where a law imposes a legal duty on the covered entity to use or disclose protected health information, it is sufficient that the privacy rule permit the covered entity to comply with such law. The enforcement of that legal duty, however, is a matter for that other law. Section 164.512(b)--Uses and Disclosures for Public Health Activities Comment: Several non-profit entities commented that medical records research by nonprofit entities to ensure public health goals, such as disease-specific registries, would not have been covered by this provision. These organizations collect information without relying on a government agency or law. Commenters asserted that such activities are essential and must continue. They generally supported the provisions allowing the collection of individually identifiable health information without authorization for registries. One stated that both governmental and non-governmental cancer registries should be exempt from the regulation. They stated that ``such entities, by their very nature, collect health information for legitimate public health and research purposes.'' Another, however, addressed its comments only to ``disclosure to non-government entities operating such system as required or authorized by law.'' Response: We acknowledge that such entities may be engaged in disease-specific or other data collection activities that provide a benefit to their members and others affected by a particular malady and that they contribute to the public health and scientific database on low incidence or little known conditions. However, in the absence of some nexus to a government public health authority or other underlying legal authority, it is unclear upon what basis covered entities can determine which registries or collections are ``legitimate'' and how the confidentiality of the registry information will be protected. Commenters did not suggest methods for ``validating'' these private registry programs, and no such methods currently exist at the federal level. It is unknown whether any states have such a program. Broadening the exemption could provide a loophole for private data collections for inappropriate [[Page 82669]] purposes or uses under a ``public health'' mask. In this rule, we do not seek to make judgments as to the legitimacy of private entities' disease-specific registries or of private data collection endeavors. Rather, we establish the general terms and conditions for disclosure and use of protected health information. Under the final rule, covered entities may obtain authorization to disclose protected health information to private entities seeking to establish registries or other databases; they may disclose protected health information as required by law; or they may disclose protected health information to such entities if they meet the conditions of one of the provisions of Secs. 164.510 or 164.512. We believe that the circumstances under which covered entities may disclose protected health information to private entities should be limited to specified national priority purposes, as reflected through the FDA requirements or directives listed in Sec. 164.512(b)(iii), and to enable recalls, repairs, or replacements of products regulated by the FDA. Disclosures by covered health care providers who are workforce members of an employer or are conducting evaluations relating to work-related injuries or illnesses or workplace surveillance also may disclose protected health information to employers of findings of such evaluations that are necessary for the employer to comply with requirements under OSHA and related laws. Comment: Several commenters said that the NPRM did not indicate how to distinguish between public health data collections and government health data systems. They suggested eliminating proposed Sec. 164.510(g) on disclosures and uses for government health data systems, because they believed that such disclosures and uses were adequately covered by proposed Sec. 164.510(b) on public health. Response: As discussed below, we agree with the commenters who suggested that the proposed provision that would have permitted disclosures to government health data bases was overly broad, and we remove it from the final rule. We reviewed the important purposes for which some commenters said government agencies needed protected health information, and we believe that most of those needs can be met through the other categories of permitted uses and disclosures without authorization allowed under the final rule, including provisions permitting covered entities to disclose information (subject to certain limitations) to government agencies for public health, health oversight, law enforcement, and otherwise as required by law. For example, the final rule continues to allow collection of protected health information without authorization to monitor trends in the spread of infectious disease, morbidity and mortality. Comment: Several commenters recommended expanding the scope of disclosures permissible under proposed Sec. 164.510(b)(1)(iii), which would have allowed covered entities to disclose protected health information to private entities that could demonstrate that they were acting to comply with requirements, or at the direction, of a public health authority. These commenters said that they needed to collect individually identifiable health information in the process of drug and device development, approval, and post-market surveillance--activities that are related to, and necessary for, the FDA regulatory process. However, they noted that the specific data collections involved were not required by FDA regulations. Some commenters said that they often devised their own data collection methods, and that health care providers disclosed information to companies voluntarily for activities such as post-marketing surveillance and efficacy surveys. Commenters said they used this information to comply with FDA requirements such as reporting adverse events, filing other reports, or recordkeeping. Commenters indicated that the FDA encouraged but did not require them to establish other data collection mechanisms, such as pregnancy registries that track maternal exposure to drugs and the outcomes. Accordingly, several commenters recommended modifying proposed Sec. 164.510(b) to allow covered entities to disclose protected health information without authorization to manufacturers registered with the FDA to manufacture, distribute, or sell a prescription drug, device, or biological product, in connection with post-marketing safety and efficacy surveillance or for the entity to obtain information about the drug, device, or product or its use. One commenter suggested including in the regulation an illustrative list of examples of FDA-related requirements, and stating in the preamble that all activities taken in furtherance of compliance with FDA regulations are ``public health activities.'' Response: We recognize that the FDA conducts or oversees many activities that are critical to help ensure the safety or effectiveness of the many products it regulates. These activities include, for example, reporting of adverse events, product defects and problems; product tracking; and post-marketing surveillance. In addition, we believe that removing defective or harmful products from the market is a critical national priority and is an important tool in FDA efforts to promote the safety and efficacy of the products it regulates. We understand that in most cases, the FDA lacks statutory authority to require product recalls. We also recognize that the FDA typically does not conduct recalls, repairs, or product replacement surveillance directly, but rather, that it relies on the private entities it regulates to collect data, notify patients when applicable, repair and replace products, and undertake other activities to promote the safety and effectiveness of FDA-regulated products. We believe, however, that modifying the NPRM to allow disclosure of protected health information to private entities as part of any data- gathering activity related to a drug, device, or biological product or its use, or for any activity that is consistent with, or that appears to promote objectives specified, in FDA regulation would represent an inappropriately broad exception to the general requirement to obtain authorization prior to disclosure. Such a change could allow, for example, drug companies to collect protected health information without authorization to use for the purpose of marketing pharmaceuticals. We do not agree that all activities taken to promote compliance with FDA regulations represent public health activities as that term is defined in this rule. In addition, we believe it would not be appropriate to include in the regulation text an ``illustrative list'' of requirements ``related to'' the FDA. The regulation text and preamble list the FDA- related activities for which we believe disclosure of protected health information to private entities without authorization is warranted. We believe it is appropriate to allow disclosure of protected health information without authorization to private entities only: For purposes that the FDA has, in effect, identified as national priorities by issuing regulations or express directions requiring such disclosure; or if such disclosure is necessary for a product recall. For example, we believe it is appropriate to allow covered health care providers to disclose to a medical device manufacturer recalling defective heart valves the names and last known addresses of patients in whom the provider implanted the valves. Thus, in the final rule, we allow covered entities to disclose protected health information to entities subject to FDA jurisdiction for the following activities: To report adverse events (or similar reports with [[Page 82670]] respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA. The preamble above provides further detail on the meaning of some of the terms in this list. Covered entities may disclose protected health information to entities for activities other than those described above only as required by law; with authorization; or if permissible under another section of this rule. We understand that many private registries, such as pregnancy registries, currently obtain patient authorization for data collection. We believe the approach of Sec. 164.512(b) strikes an appropriate balance between the objective of promoting patient privacy and control over their health information and the objective of allowing private entities to collect data that ultimately may have important public health benefits. Comment: One commenter remarked that our proposal may impede fetal/ infant mortality and child fatality reviews. Response: The final rule permits a covered entity to disclose protected health information to a public health authority authorized by law to conduct public health activities, including the collection of data relevant to death or disease, in accordance with Sec. 164.512(b). Such activities may also meet the definition of ``health care operations.'' We therefore do not believe this rule impedes these activities. Comment: Several comments requested that the final regulation clarify that employers be permitted to use and/or disclose protected health information pursuant to the requirements of the Occupational Safety and Health Act and its accompanying regulations (``OSHA''). A few comments asserted that the regulation should not only permit employers to use and disclose protected health information without first obtaining an authorization consistent with OSHA requirements, but also permit them to use and disclose protected health information if the use or disclosure is consistent with the spirit of OSHA. One commenter supported the permissibility of these types of uses and disclosures, but warned that the regulation should not grant employers unfettered access to the entire medical record of employees for the purpose of meeting OSHA requirements. Other commenters noted that OSHA not only requires disclosures to the Occupational Safety and Health Administration, but also to third parties, such as employers and employee representatives. Thus, this comment asked HHS to clarify that disclosures to third parties required by OSHA are also permissible under the regulation. Response: Employers as such are not covered entities under HIPAA and we generally do not have authority over their actions. When an employer has a health care component, such as an on-site medical clinic, and the components meets the requirements of a covered health care provider, health plan or health care clearinghouse, the uses and disclosures of protected health information by the health care component, including disclosures to the larger employer entity, are covered by this rule and must comply with its provisions. A covered entity, including a covered health care provider, may disclose protected health information to OSHA under Sec. 164.512(a), if the disclosure is required by law, or if the disclosure is a discretionary one for public health activities, under Sec. 164.512(b). Employers may also request employees to provide authorization for the employer to obtain protected health information from covered entities to conduct analyses of work-related health issues. See Sec. 164.508. We also permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty to keep records on or act on such information under the OSHA or similar laws. We added this provision to ensure that employers are able to obtain the information that they need to meet federal and state laws designed to promote safer and healthier workplaces. These laws are vital to protecting the health and safety of workers and we permit specified covered health care providers to disclose protected health information as necessary to carry out these purposes. Comment: A few comments suggested that the final regulation clarify how it would interact with existing and pending OSHA requirements. One of these comments requested that the Secretary delay the effective date of the regulation until reviews of existing requirements are complete. Response: As noted in the ``Relationship to Other Federal Laws'' section of the preamble, we are not undertaking a complete review of all existing laws with which covered entities might have to comply. Instead we have described a general framework under which such laws may be evaluated. We believe that adopting national standards to protect the privacy of individually identifiable health information is an urgent national priority. We do not believe that it is appropriate to delay the effective date of this regulation. Comment: One commenter asserted that the proposed regulation conflicted with the OSHA regulation requirement that when a designated representative (to whom the employee has already provided a written authorization to obtain access) requests a release form for access to employee medical records, the form must include the purpose for which the disclosure is sought, which the proposed privacy regulation does not require. Response: We do not agree that this difference creates a conflict for covered entities. If an employer seeks to obtain a valid authorization under Sec. 164.508, it may add a purpose statement to the authorization so that it complies with OSHA's requirements and is a valid authorization under Sec. 164.508 upon which a covered entity may rely to make a disclosure of protected health information to the employer. Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country. Response: We permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance, as described in this paragraph. Information obtained by an employer under this paragraph would be available for it to use, consistent with other laws and regulations, as it chooses and throughout the national company. We do not regulate uses or disclosures of individually identifiable health [[Page 82671]] information by employers acting as employers. Section 164.512(c)--Disclosures About Victims of Abuse, Neglect, or Domestic Violence The NPRM did not include a paragraph specifically addressing covered entities' disclosures of protected health information regarding victims of abuse, neglect, or domestic violence. Rather, the NPRM addressed disclosures about child abuse pursuant to proposed Sec. 164.510(b), which would have allowed covered entities to report child abuse to a public health authority or to another appropriate authority authorized by law to receive reports of child abuse or neglect. We respond to comments regarding victims of domestic violence or abuse throughout the final rule where relevant. (See responses to comments on Secs. 164.502(g), 164.510(b), 164.512(f)(3), 164.522, and 164.524.) Comment: Several commenters urged us to require that victims of domestic violence be notified about requests for or disclosures of protected health information about them, so that victims could take safety precautions. Response: We agree that, in balancing the burdens on covered entities from such a notification requirement against the benefits to be gained, victims of domestic abuse merit heightened concern. For this reason, we generally require covered entities to inform the individual when they disclose protected health information to authorized government authorities. As the Family Violence Prevention Fund has noted in its Health Privacy Principles for Protecting Victims of Domestic Violence (October 2000), victims of domestic violence and abuse sometimes are subject to retaliatory violence. By informing a victim of abuse or domestic violence of a disclosure to law enforcement or other authorities, covered entities give victims the opportunity to take appropriate safety precautions. See the above preamble discussion of Sec. 164.512(c) for more detail about the requirements for disclosing protected health information about victims of domestic violence. Comment: Some commenters argued that a consent requirement should apply at a minimum to disclosures involving victims of crime or victims of domestic violence. Response: We agree, and we modify the proposed rule to require covered entities to obtain an individual's agreement prior to disclosing protected health information in most instances involving victims of a crime or of abuse, neglect, or domestic violence. See the above preamble discussions of Sec. 164.512(c), on disclosures about victims of abuse, neglect, or domestic violence, and Sec. 164.512(f)(3), on disclosures to law enforcement about crime victims. Section 164.512(d)--Uses and Disclosures for Health Oversight Activities Comment: A couple of commenters supported the NPRM's approach to health oversight. Several other commenters generally supported the NPRM's approach to disclosure of protected health information for national priority purposes, and they recommended some clarification regarding disclosure for health oversight. Two commenters recommended clarifying in the final rule that disclosure is allowed to all federal, state, and local agencies that use protected health information to carry out legally mandated responsibilities. Response: The final rule permits disclosures to public agencies that meet the definition of a health oversight agency and for oversight of the particular areas described in the statute. Section 164.512(a) of the final rule permits disclosures that are required by law. As discussed in the responses to comments of Sec. 164.512(a), we do not in the final rule permit disclosures merely authorized by other laws that do not fit within the other public policy purposes recognized by the rule. Comment: One commenter recommended clarifying in the final rule that covered entities are not required to establish business partner contracts with health oversight agencies or public health authorities to release individually identifiable information to them for purposes exempt from HIPAA and sanctioned by state law. Response: The final rule does not require covered entities to establish business associate contracts with health oversight agencies when they disclose protected health information to these agencies for oversight purposes. Comment: Two commenters recommended clarifying in the regulation text that the health oversight section does not create a new right of access to protected health information. Response: We agree and include such a statement in the preamble of Sec. 164.512(d) of the final rule. Comment: Several commenters were concerned that the proposed oversight section allowed but did not require disclosure of protected health information to health oversight agencies for oversight activities. Response: This rule's purpose is to protect the privacy of individually identifiable health information. Except to enforce the rule and to establish individuals' right to access their own protected health information (see Sec. 164.502(a)(2)), we do not require disclosure of protected health information to any person or entity. We allow such disclosure for situations in which other laws require disclosure. Comment: Some commenters were concerned that the NPRM would have allowed health oversight agencies to re-use and redisclose protected health information to other entities, and they were particularly concerned about re-disclosure to and re-use by law enforcement agencies. One commenter believed that government agencies would use the label of health oversight to gain access to protected health information from covered entities--thereby avoiding the procedural requirements of the law enforcement section (proposed Sec. 164.510(f)) and subsequently would turn over information to law enforcement officials. Thus, these groups were concerned that the potential for oversight access to protected health information under the rule to become the ``back door'' to law enforcement access to such information. Based on their concerns, these commenters recommended establishing a general prohibition on the re-use and re-disclosure of protected health information obtained by health oversight agencies in actions against individuals. One health plan expressed general concern about re-disclosure among all of the public agencies covered in the proposed Sec. 164.510. It recommended building safeguards into the rule to prevent information gathered for one purpose (for example, public health) from being used for another purpose (such as health oversight). Many of the commenters concerned about re-disclosure of protected health information obtained for oversight purposes said that if the Secretary lacked statutory authority to regulate oversight agencies' re-disclosure of protected health information and the re-use of this information by other agencies covered in proposed Sec. 164.510, the President should issue an Executive Order barring such re-disclosure and re-use. One of these groups specified that the Executive Order should bar re-use and re-disclosure of protected health information in actions against individuals. In contrast, some commenters advocated information-sharing between law enforcement and oversight agencies. Most of these commenters recognized that the NPRM would have allowed re-use and re-disclosure of protected health information from oversight to law [[Page 82672]] enforcement agencies, and they supported this approach. Response: We believe that the language we have added to the rule, at Sec. 164.512(d)(2) and the corresponding explanation in the preamble, to clarify the boundary between disclosures for health oversight and for law enforcement purposes should partially address the concern expressed by some that oversight agencies will be the back door for access by law enforcement. In situations when the individual is the subject of an investigation or activity and the investigation or activity is not related to health care fraud, the requirements for disclosure to law enforcement must be met, and an oversight agency cannot request the information under its more general oversight authority. We acknowledge, however, that there will be instances under the rule when a health oversight agency (or a law enforcement agency in its oversight capacity) that has obtained protected health information appropriately will be able to redisclose the information to a law enforcement agency for law enforcement purposes. Under HIPAA, we have the authority to restrict re-disclosure of protected health information only by covered entities. Re-disclosures by public agencies such as oversight agencies are not within the purview of this rule. We support the enactment of comprehensive privacy legislation that would govern such public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities. For example, such use will be subject to review by the Deputy Attorney General. Comment: Several commenters recommended modifying the proposed oversight section to require health oversight officials to justify and document their need for identifiable information. Response: We encourage covered entities to work with health oversight agencies to determine the scope of information needed for health oversight inquiries. However, we believe that requiring covered entities to obtain extensive documentation of health oversight information needs could compromise health oversight agencies' ability to complete investigations, particularly when an oversight agency is investigating the covered entity from which it is seeking information. Comment: Several commenters believed that health oversight activities could be conducted without access to individually identifiable health information. Some of these groups recommended requiring information provided to health oversight agencies to be de- identified to the extent possible. Response: We encourage health oversight agencies to use de- identified information whenever possible to complete their investigations. We recognize, however, that in some cases, health oversight agencies need identifiable information to complete their investigations. For example, as noted in the preamble to the NPRM, to determine whether a hospital has engaged in fraudulent billing practices, it may be necessary to examine billing records for a set of individual cases. Similarly, to determine whether a health plan is complying with federal or state health care quality standards, it may be necessary to examine individually identifiable health information in comparison with such standards. Thus, to allow health oversight agencies to conduct the activities that are central to their mission, the final rule does not require covered entities to de-identify protected health information before disclosing it to health oversight organizations. Comment: One commenter recommended requiring whistleblowers, pursuant to proposed Sec. 164.518(a)(4) of the NPRM, to raise the issue of a possible violation of law with the affected covered entity before disclosing such information to an oversight agency, attorney, or law enforcement official. Response: We believe that such a requirement would be inappropriate, because it would create the potential for covered entities that are the subject of whistleblowing to take action to evade law enforcement and oversight action. Comment: One commenter recommended providing an exemption from the proposed rule's requirements for accounting for disclosures when such disclosures were for health oversight purposes. Response: We recognize that in some cases, informing individuals that their protected health information has been disclosed to a law enforcement official or to a health oversight agency could compromise the ability of law enforcement and oversight officials to perform their duties appropriately. Therefore, in the final rule, we retain the approach of proposed Sec. 164.515 of the NPRM. Section 164.528(a)(2) of the final rule states that an individual's right to receive an accounting of disclosures to a health oversight agency, law enforcement official, or for national security or intelligence purposes may be temporarily suspended for the time specified by the agency or official. As described in Sec. 164.528(a)(2), for such a suspension to occur, the agency or official must provide the affected covered entity with a written request stating that an accounting to the individual would be reasonably likely to impede the agency's activity. The request must specify the time for which the suspension is required. We believe that providing a permanent exemption to the right to accounting for disclosures for health oversight purposes would fail to ensure that individuals are sufficiently informed about the extent of disclosures of their protected health information. Comment: One commenter recommended making disclosures to health oversight agencies subject to a modified version of the NPRM's proposed three-part test governing disclosure of protected health information to law enforcement pursuant to an administrative request (as described in proposed Sec. 164.510(f)(1)). Response: We disagree that it would be appropriate to apply the procedural requirements for law enforcement to health oversight. We apply more extensive procedural requirements to law enforcement disclosures than to disclosures for health oversight because we believe that law enforcement investigations more often involve situations in which the individual is the subject of the investigation (and thus could suffer adverse consequences), and we believe that it is appropriate to provide greater protection to individuals in such cases. Health oversight involves investigations of institutions that use health information as part of business functions, or of individuals whose health information has been used to obtain a public benefit. These circumstances justify broader access to information. Overlap Between Law Enforcement and Oversight Comment: Some commenters expressed concern that the NPRM's provisions permitting disclosures for health oversight and disclosures for law enforcement overlapped, and that the overlap could create confusion among covered entities, members of the public, and government agencies. The commenters identified particular factors that could lead to confusion, including that (1) the phrase ``criminal, civil, or administrative proceeding'' appeared in the definitions of both law enforcement [[Page 82673]] and oversight; (2) the examples of oversight agencies listed in the preamble included a number of organizations that also conduct law enforcement activities; (3) the NPRM addressed the issue of disclosures to investigate health care fraud in the law enforcement section (Sec. 164.510(f)(5)), yet health care fraud investigations are central to the mission of some health care oversight agencies; (4) the NPRM established more stringent rules for disclosure of protected health information pursuant to an administrative subpoena issued for law enforcement than for disclosure pursuant to an oversight agency's administrative subpoena; and (5) the preamble, but not the NPRM regulation text, indicated that agencies conducting both oversight and law enforcement activities would be subject to the oversight requirements when conducting oversight activities. Some commenters said that covered entities would be confused by the overlap between law enforcement and oversight and that this concern would lead to litigation over which rules should apply when an entity engaged in more than one of the activities listed under the exceptions in proposed Sec. 164.510. Other commenters believed that covered entities could manipulate the NPRM's ambiguities in their favor, claim that the more stringent law enforcement disclosure rules always should apply, and thereby delay investigations. A few comments suggested that the confusion could be clarified by making the regulation text consistent with the preamble, by stating that when agencies conducting both law enforcement and oversight seek protected health information as part of their oversight activities, the oversight rules would apply. Response: We agree that the boundary between disclosures for health oversight and disclosures for law enforcement proposed in the NPRM could have been more clear. Because many investigations, particularly investigations involving public benefit programs, have both health oversight and law enforcement aspects to them, and because the same agencies often perform both functions, drawing any distinction between the two functions is necessarily difficult. For example, traditional law enforcement agencies, such as the Federal Bureau of Investigation, have a significant role in health oversight. At the same time, traditional health oversight agencies, such as federal Offices of Inspectors General, often participate in criminal investigations. To clarify the boundary between law enforcement and oversight for purposes of complying with this rule, we add new language in the final rule, at Sec. 164.512(d)(2). This section indicates that health oversight activities do not include an investigation or activity in which the individual is the subject of the investigation or activity and the investigation or activity does not arise out of and is not directly related to health care fraud. In this rule, we describe investigations involving suspected health care fraud as investigations related to: (1) The receipt of health care; (2) a claim for public benefits related to health; or (3) qualification for, or receipt of public benefits or services where a patient's health is integral to the claim for public benefits or services. In such cases, where the individual is the subject of the investigation and the investigation does not relate to health care fraud, identified as investigations regarding issues (a) through (c), the rules regarding disclosure for law enforcement purposes (see Sec. 164.512(f)) apply. Where the individual is not the subject of the activity or investigation, or where the investigation or activity relates to health care fraud, a covered entity may make a disclosure pursuant to Sec. 164.512(d)(1), allowing uses and disclosures for health oversight activities. For example, when the U.S. Department of Labor's Pension and Welfare Benefits Administration (PWBA) needs to analyze protected health information about health plan enrollees in order to conduct an audit or investigation of the health plan (i.e., the enrollees are not subjects of the investigation) to investigate potential fraud by the health plan, the health plan may disclose protected health information to the PWBA under the health oversight rules. To clarify further that health oversight disclosure rules apply generally in health care fraud investigations (subject to the exception described above), in the final rule, we eliminate proposed Sec. 164.510(f)(5)(i), which would have established requirements for disclosure related to health fraud for law enforcement purposes. All disclosures of protected health information that would have been permitted under proposed Sec. 164.510(f)(5)(i) are permitted under Sec. 164.512(d). We also recognize that sections 201 and 202 of HIPAA, which established a federal Fraud and Abuse Control Program and the Medicare Integrity Program, identified health care fraud-fighting as a critical national priority. Accordingly, under the final rule, in joint law enforcement/oversight investigations involving suspected health care fraud, the health oversight disclosures apply, even if the individual also is the subject of the investigation. We also recognize that in some cases, health oversight agencies may conduct joint investigations with other oversight agencies involved in investigating claims for benefits unrelated to health. For example, in some cases, a state Medicaid agency may be working with officials of the Food Stamps program to investigate suspected fraud involving Medicaid and Food Stamps. While this issue was not raised specifically in the comments, we add new language (Sec. 164.512(d)(3)) to provide guidance to covered entities in such situations. Specifically, we clarify that if a health oversight investigation is conducted in conjunction with an oversight activity related to a claim for benefits unrelated to health, the joint activity or investigation is considered health oversight for purposes of the rule, and the covered entities may disclose protected health information pursuant to the health oversight provisions. Comment: An individual commenter recommended requiring authorization for disclosure of patient records in fraud investigations, unless the individual was the subject or target of the investigation. This commenter recommended requiring a search warrant for cases in which the individual was the subject and stating that fraud investigators should have access to the minimum necessary patient information. Response: As described above, we recognize that in some cases, activities include elements of both law enforcement and health oversight. Because we consider both of these activities to be critical national priorities, we do not require covered entities to obtain authorization for disclosure of protected health information to law enforcement or health oversight agencies--including those oversight activities related to health care fraud. We believe that investigations involving health care fraud represent health oversight rather than law enforcement. Accordingly, as indicated above, we remove proposed Sec. 164.510(f)(5)(i) from the law enforcement section of the proposed rule and clarify that all disclosures of protected health information for health oversight are permissible without authorization. As discussed in greater detail in Sec. 164.514, the final rule's minimum necessary standard applies to disclosures under Sec. 164.512 unless the disclosure is required by law under Sec. 164.512(a). [[Page 82674]] Comment: A large number of commenters expressed concern about the potential for health oversight agencies to become, in effect, the ``back door'' for law enforcement access to such information. The commenters suggested that health oversight agencies could use their relatively unencumbered access to protected health information to circumvent the more stringent process requirements that otherwise would apply to disclosures for law enforcement purposes. These commenters urged us to prohibit health oversight agencies from re-disclosing protected health information to law enforcement. Response: As indicated above, we do not intend for the rule's permissive approach to health oversight or the absence of specific documentation to permit the government to gather large amounts of protected health information for purposes unrelated to health oversight as defined in the rule, and we do not intend for these oversight provisions to serve as a ``back door'' for law enforcement access to protected health information. While we do not have the statutory authority to regulate law enforcement and oversight agencies' re-use and re-disclosure of protected health information, we strongly support enactment of comprehensive privacy legislation that would govern public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities. Comment: One commenter asked us to allow the requesting agency to decide whether a particular request for protected health information was for law enforcement or oversight purposes. Response: As described above, we clarify the overlap between law enforcement disclosures and health oversight disclosures based on the privacy and liberty interests of the individual (whether the individual also is the subject of the official inquiry) and the nature of the public interest (whether the inquiry relates to health care fraud or to another potential violation of law). We believe it is more appropriate to establish these criteria than to leave the decision to the discretion of an agency that has a stake in the outcome of the investigation. Section 164.512(e)--Disclosures for Judicial and Administrative Proceedings Comment: A few commenters suggested that the final rule not permit disclosures without an authorization for judicial and administrative proceedings. Response: We disagree. Protected health information is necessary for a variety of reasons in judicial and administrative proceedings. Often it may be critical evidence that may or may not be about a party. Requiring an authorization for all such disclosures would severely impede the review of legal and administrative claims. Thus, we have tried to balance the need for the information with the individual's privacy. We believe the approach described above provides individuals with the opportunity to object to disclosures and provides a mechanism through which their privacy interests are taken into account. Comment: A few commenters sought clarification about the interaction between permissible disclosures for judicial and administrative proceedings, law enforcement, and health oversight. Response: In the final rule, we state that the provision permitting disclosures without an authorization for judicial and administrative proceedings does not supersede other provisions in Sec. 164.512 that would otherwise permit or restrict the use or disclosure of protected health information. Additionally, in the descriptive preamble of Sec. 164.512, we provide further explanation of how these provisions relate to one another. Comments: Many commenters urged the Secretary to revise the rule to state that it does not preempt or supersede existing rules and statutes governing judicial proceedings, including rules of evidence, procedure, and discovery. One commenter asserted that dishonest health care providers and others should not be able to withhold their records by arguing that state subpoena and criminal discovery statutes compelling disclosure are preempted by the privacy regulation. Other commenters maintained that there is no need to replace providers' current practice, which typically requires either a signed authorization from the patient or a subpoena to release medical information. Response: These comments are similar to many of the more general preemption comments we received. For a full discussion of the Secretary's response on preemption issues, see part 160--subpart B. Comment: One commenter stated that the proposed rule creates a conflict with existing rules and statutes governing judicial proceedings, including rules of evidence and discovery. This commenter stated that the rule runs afoul of state judicial procedures for enforcement of subpoenas that require judicial involvement only when a party seeks to enforce a subpoena. Response: We disagree with this comment. The final rule permits covered entities to disclose protected health information for any judicial or administrative procedure in response to a subpoena, discovery request, or other lawful process if the covered entity has received satisfactory assurances that the party seeking the disclosure has made reasonable efforts to ensure that the individual has been given notice of the request or has made reasonable efforts to secure a qualified protective order from a court or administrative tribunal. A covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process without a satisfactory assurance if it has made reasonable efforts to provide the individual with such notice or to seek a qualified protected order itself. These rules do not require covered entities or parties seeking the disclosure of protected health information to involve the judiciary; they may choose the notification option rather than seeking a qualified protective order. Many states have already enacted laws that incorporate these concepts. In California, for instance, an individual must be given ten days notice that his or her medical records are being subpoenaed from a health care provider and state law requires that the party seeking the records furnishes the health care provider with proof that the notice was given to the individual. In Montana, a party seeking discovery or compulsory process of medical records must give notice to the individual at least ten days in advance of serving the request on a health care provider, Service of the request must be accompanied by written certification that the procedure has been followed. In Rhode Island, an individual must be given notice that his or her medical records are being subpoenaed and notice of his or her right to object. The party serving the subpoena on the health care provider must provide written certification to the provider that: (1) This procedure has been followed, (2) twenty days have passed from the date of service, and (3) no challenge has been made to the disclosure or the court has ordered disclosure after resolution of a legal court challenge. In Washington, an individual must be given at least fourteen days from the date of service of notice that his or her health information is the subject of a [[Page 82675]] discovery request or compulsory process to obtain a protective order. The notice must identify the health care provider from whom the information is sought, specify the health care information that is sought, and the date by which a protective order must be obtained in order to prevent the provider from disclosing the information. Comment: A few commenters expressed concern that the rule would place unnecessary additional burdens on health care providers because when they receive a request for disclosure in connection with an administrative or judicial procedure, they would have to determine whether the litigant's health was at issue before they made the disclosure. A number of commenters complained that this requirement would make it too easy for litigants to obtain protected health information. One commenter argued that litigants should not be able to circumvent state evidentiary rules that would otherwise govern disclosure of protected health information simply upon counsel's statement that the other party's medical condition or history is at issue. Other commenters, however, urged that disclosure without authorization should be permitted whenever a patient places his or her medical condition or history at issue and recommended requiring the request for information to include a certification to this effect. Only if another party to litigation has raised a medical question, do these commenters believe a court order should be required. Similarly, one commenter supported a general requirement that disclosure without authorization be permitted only with a court order unless the patient has placed his or her physical or mental condition at issue. Response: We agree with the concerns expressed by several commenters about this provision and have eliminated this requirement from the final rule. Comment: A number of commenters stated that the proposed rule should be modified to permit disclosure without authorization pursuant to a lawful subpoena. One commenter argued that the provision would limit the scope of the Inspector General's subpoena power for judicial and administrative proceedings to information concerning a litigant whose health condition or history is at issue, and would impose a requirement that the Inspector General provide a written certification to that effect. Other commenters stated that the proposed rule would seriously impair the ability of state agencies to conduct administrative hearings on physician licensing and disciplinary matters. These commenters stated that current practice is to obtain information using subpoenas. Other commenters argued that disclosure of protected health information for judicial and administrative proceedings should require a court order and/or judicial review unless the subject of the information consents to disclosure. These commenters believed that an attorney's certification should not be considered sufficient authority to override an individual's privacy, and that the proposed rule made it too easy for a party to litigation to obtain information about the other party. Response: As a general matter, we agree with these comments. As noted, the final rule deletes the provision that would permit a covered entity to disclose protected health information pursuant to an attorney's certification that the individual is a party to the litigation and has put his or her medical condition at issue. Under the final rule, covered entities may disclose protected health information in response to a court or administrative order, provided that only the protected health information expressly authorized by the order is disclosed. Covered entities may also disclose protected health information in response to a subpoena, discovery request, or other lawful process without a court order, but only if the covered entity receives satisfactory assurances that the party seeking disclosure has made reasonable efforts to ensure that the individual has been notified of the request or that reasonable efforts have been made by the party seeking the information to secure a qualified protective order. Additionally, a covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process without a satisfactory assurance if it makes reasonable efforts to provide the individual with such notice or to seek a qualified protected order itself. We also note that the final rule specifically provides that nothing in Subchapter C should be construed to diminish the authority of any Inspector General, including authority provided in the Inspector General Act of 1978. Comment: A number of commenters expressed concern that the proposed rule would not permit covered entities to introduce material evidence in proceedings in which, for example, the provisions of an insurance contract are at issue, or when a billing or payment issue is presented. They noted that although the litigant may be the owner of an insurance policy, he or she may not be the insured individual to whom the health information pertains. In addition, they stated that the medical condition or history of a deceased person may be at issue when the deceased person is not a party. Response: We disagree. Under the final rule, a covered entity may disclose protected health information without an authorization pursuant to a court or administrative order. It may also disclose protected health information with an authorization for judicial or administrative proceedings in response to a subpoena, discovery request, or other lawful process without a court order, if the party seeking the disclosure provides the covered entity with satisfactory assurances that it has made reasonable efforts to ensure that the individual has been notified of the request or to seek a qualified protective order. Additionally, a covered entity may disclose protected health information in response to a subpoena, discovery request, or other lawful process without a satisfactory assurance if it makes reasonable efforts to provide the individual with such notice or to seek a qualified protected order itself. Therefore, a party may obtain the information even if the subject of the information is not a party to the litigation or deceased. Comment: A few commenters argued that disclosure of protected health information should be limited only to those cases in which the individual has consented or a court order has been issued compelling disclosure. Response: The Secretary believes that such an approach would impose an unreasonable burden on covered entities and the judicial system and that greater flexibility is necessary to assure that the judicial and administrative systems function smoothly. We understand that even those states that have enacted specific statutes to protect the privacy of health information have not imposed requirements as strict as these commenters would suggest. Comment: Many commenters asked that the final rule require the notification of the disclosure be provided to the individual whose health information is subject to disclosure prior to the disclosure as part of a judicial or administrative proceeding. Most of these commenters also asked that the rule require that the individual who is the subject of a disclosure be given an opportunity to object to the disclosure. A few commenters suggested that patients be given ten days to object before requested information may be disclosed and recommend that the rule require the requester to provide a certification that notice has been provided and that ten days have passed [[Page 82676]] with no objection from the subject of the information. Some commenters suggested that if a subpoena for disclosure is not accompanied by a court order, the covered entities be prohibited from disclosing protected health information unless the individual has been given notice and an opportunity to object. Another commenter recommended requiring, in most circumstances, notice and an opportunity to object before a court order is issued and requiring the requestor of information to provide a signed document attesting the date of notification and forbid disclosure until ten days after notice is given. Response: We agree that in some cases the provision of notice with an opportunity to object to the disclosure is appropriate. Thus, in the final rule we provide that a covered entity may disclose protected health information in response to a subpoena, discovery request or other lawful process that is not accompanied by a court order if it receives satisfactory assurance from the party seeking the request that the requesting party has made a good faith attempt to provide written notice to the individual that includes sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal and that the time for the individual to raise objections has elapsed (and that none were filed or all have been resolved). Covered entities may make reasonable efforts to provide such notice as well. In certain instances, however, the final rule permits covered entities to disclose protected health information for judicial and administrative proceedings without notice to the individual if the party seeking the request has made reasonable efforts to seek a qualified protective order, as described in the rule. A covered entity may also make reasonable efforts to seek a qualified protective order in order to make the disclosure. Additionally, a covered entity may disclose protected health information for judicial and administrative proceedings in response to an order of a court or administrative tribunal provided that the disclosure is limited to only that information that is expressly authorized by the order. The Secretary believes notice is not necessary in these instances because a court or administrative tribunal is in the best position to evaluate the merits of the arguments of the party seeking disclosure and the party who seeks to block it before it issues the order and that imposing further procedural obstacles before a covered entity may honor that disclosure request is unnecessary. Comment: Many commenters urged the Secretary to require specific criteria for court and administrative orders. Many of these commenters proposed that a provision be added to the rule that would require court and administrative orders to safeguard the disclosure and use of protected health information. These commenters urged that the information sought must be relevant and material, as specific and narrowly drawn as reasonably practicable, and only disclosed if de- identified information could not reasonably be used. Response: The Secretary's authority is limited to covered entities. Therefore, we do not impose requirements on courts and administrative tribunals. However, we note that the final rule limits the permitted disclosures by covered entities in court or administrative proceedings to only that information which is specified in the order from a court or an administrative body should provide a degree of protection for individuals from unnecessary disclosure. Comment: Several commenters asked that the ``minimum necessary'' standard not apply to disclosures made pursuant to a court order because individuals could then use the rule to contest the scope of discovery requests. However, many other commenters recommended that the rule permit disclosure only of information ``reasonably necessary'' to respond to a subpoena. These commenters raised concerns with applying the ``minimum necessary'' standard in judicial and administrative proceedings, but did not believe the holder of protected health information should have blanket authority to disclose all protected health information. Some of the commenters urged that disclosure of any information about third parties that may be included in the medical records of another person-- for example, the HIV status of a partner-- be prohibited. Finally, some commenters disagreed with the proposed rule because it did not require covered entities to evaluate the validity of subpoenas and discovery requests to determine whether these requests ask for the ``minimum necessary'' or ``reasonably necessary'' amount of information. Response: Under the final rule, if the disclosure is pursuant to an order of a court or administrative tribunal, covered entities may disclose only the protected health information expressly authorized by the order. In these instances, a covered entity is not required to make a determination whether or not the order might otherwise meet the minimum necessary requirement. If the disclosure is pursuant to a satisfactory assurance from the party seeking the disclosure, at least a good faith attempt has been made to notify the individual in writing of the disclosure before it is made or the parties have sought a qualified protective order that prohibits them from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which the information was requested and that the information will be returned to the covered entity or destroyed at the end of the litigation or the proceeding. Alternatively, the covered entity may seek such notice or qualified protective order itself. This approach provides the individual with protections and places the burden on the parties to resolve their differences about the appropriateness and scope of disclosure as part of the judicial or administrative procedure itself before the order is issued, rather than requiring the covered entity to get involved in evaluating the merits of the dispute in order to determine whether or not the particular request is appropriate or too broad. In these cases, the covered entity must disclose only the protected health information that is the minimum amount necessary to achieve the purpose for which the information is sought. We share the concern of the commenters that covered entities should redact any information about third parties before disclosing an individual's protected health information. During the fact-finding stage of our consideration of revisions to the proposed rule, we discussed this issue with representatives of covered entities. Currently, information about third parties is sometimes redacted by medical records personnel responding to requests for information. In particular, information regarding HIV status is treated with special sensitivity by these professionals. Although we considered including a special provision in the final rule prohibiting such disclosure, we decided that the revisions made to the proposed rule would provide sufficient protection. By restricting disclosure of protected health information to only that information specified in a court or administrative order or released pursuant to other types of lawful process only if the individual had notice and an opportunity to object or if the information was subject to a protective order, individuals who are concerned about disclosure of information concerning third parties will have the opportunity to raise that [[Page 82677]] issue prior to the request for disclosure being presented to the covered entity. We are reluctant to put the covered entity in the position of having to resolve disputes concerning the type of information that may be disclosed when that dispute should more appropriately be settled through the judicial or administrative procedure itself. Comment: One commenter asked that the final regulation clarify that a court order is not required when disclosure would otherwise be permitted under the rule. This commenter noted that the preamble states that the requirement for a court order would not apply if the disclosure would otherwise be permitted under the rule. For example, disclosures of protected health information pursuant to administrative, civil, and criminal proceedings relating to ``health oversight'' are permitted, even if no court or administrative orders have been issued. However, the commenter was concerned that this principle only appeared in the preamble and not in the rule itself. Response: Section 164.512(e)(4) of the final regulation contains this clarification. Comment: One commenter was concerned that the rule is unclear as to whether governmental entities are given a special right to ``use'' protected health information that private parties do not have under the proposed regulation or whether governmental entities that seek or use protected health information are treated the same as private parties in their use of such information. This commenter urged that we clarify our intent regarding the use of protected health information by governmental entities. Response: Generally governmental entities are treated the same as private entities under the rule. In a few clearly defined cases, a special rule applies. For instance, under Sec. 164.504(e)(3), when a covered entity and its business associate are both governmental entities, they may enter into a memorandum of understanding or adopt a regulation with the force and effect of law that incorporates the requirements of a business associate contract, rather than having to negotiate a business associate contract itself. Comment: One commenter recommended that final rule state that information developed as part of a quality improvement or medical error reduction program may not be disclosed under this provision. The commenter explained that peer review information developed to identify and correct systemic problems in delivery of care must be protected from disclosure to allow a full discussion of the root causes of such events so they may be identified and addressed. According to the commenter, this is consistent with peer review protections afforded this information by the states. Response: The question of whether or not such information should be protected is currently the subject of debate in Congress and in the states. It would be premature for us to adopt a position on this issue until a clear consensus emerges. Under the final rule, no special protection against disclosure is provided for peer review information of the type the commenter describes. However, unless the request for disclosure fits within one of the categories of permitted or required disclosures under the regulation, it may not be disclosed. For instance, if disclosure of peer review information is required by another law (such as Medicare or a state law), covered entities subject to that law may disclose protected health information consistent with the law. Comment: One commenter stated that the requirements of this section are in conflict with Medicare contractor current practices, as defined by the HCFA Office of General Counsel and suggested that the final rule include more specific guidelines. Response: Because the commenter failed to indicate the nature of these conflicts, we are unable to respond. Comment: One commenter stated that the rule should require rather than permit disclosure pursuant to court orders. Response: Under the statutory framework adopted by Congress in HIPAA, a presumption is established that the data contained in an individual's medical record belongs to the individual and must be protected from disclosure to third parties. The only instance in which covered entities holding that information must disclose it is if the individual requests access to the information himself or herself. In the final rule (as in the proposed rule), covered entities may use or disclose protected health information under certain enumerated circumstances, but are not required to do so. We do not believe that this basic principle should be compromised merely because a court order has been issued. Consistent with this principle, we provide covered entities with the flexibility to deal with circumstances in which the covered entity may have valid reasons for declining to release the protected health information without violating this regulation. Comment: One commenter noted that in some states, public health records are not subject to discovery, and that the proposed rule would not permit disclosure of protected health information pursuant to court order or subpoena if the disclosure is not allowed by state law. The commenter requested clarification as to whether a subpoena in a federal civil action would require disclosure if a state law prohibiting the release of public health records existed. Response: As explained above, the final rule permits, but does not require, disclosure of protected health information pursuant to a court order. Under the applicable preemption provisions of HIPAA, state laws relating to the privacy of medical information that are more stringent than the federal rules are not preempted. To the extent that an applicable state law precludes disclosure of protected health information that would otherwise be permitted under the final rule, state law governs. Comment: A number of commenters expressed concern that the proposed rule would negatively impact state and federal benefits programs, particularly social security and workers' compensation. One commenter requested that the final rule remove any possible ambiguity about application of the rule to the Social Security Administration's (SSA) evidence requests by permitting disclosure to all administrative level of benefit programs. In addition, several commenters stated that requiring SSA or states to provide the covered entity holding the protected health information with an individual's consent before it could disclose the information would create a huge administrative and paperwork burden with no added value to the individual. In addition, several other commenters indicated that states that make disability determinations for SSA also support special accommodation for SSA's determination process. They expressed concern that providers will narrowly interpret the HIPAA requirements, resulting in significant increases in processing time and program costs for obtaining medical evidence (especially purchased consultative examinations when evidence of record cannot be obtained). A few commenters were especially concerned about the impact on states and SSA if the final rule were to eliminate the NPRM's provision for a broad consent for ``all evidence from all sources.'' Some commenters also note that it would be inappropriate for a provider to make a minimum necessary determination in response to a request from SSA because the provider usually will not know the legal parameters of SSA's programs, or have access to the [[Page 82678]] individual's other sources of evidence. In addition, one commenter urged the Secretary to be sensitive to these concerns about delay and other negative impacts on the timely determination of disability by SSA for mentally impaired individuals. Response: Under the final rule, covered entities may disclose protected health information pursuant to an administrative order so the flow of protected health information from covered entities to SSA and the states should not be disrupted. Although some commenters urged that special rules should be included for state and federal agencies that need protected health information, the Secretary rejects that suggestion because, wherever possible, the public and the private sectors should operate under the same rules regarding the disclosure of health information. To the extent the activities of SSA constitute an actual administrative tribunal, covered entities must follow the requirements of Sec. 164.512(e), if they wish to disclose protected health information to SSA in those circumstances. Not all administrative inquiries are administrative tribunals, however. If SSA's request for protected health information comes within another category of permissible exemptions, a covered entity, following the requirements of the applicable section, may disclose the information to SSA. For example, if SSA seeks information for purposes of health oversight, a covered entity that wishes to disclose the information to SSA may do so under Sec. 164.512(d) and not Sec. 164.512(e). If the disclosure does not come within one of the other permissible disclosures would a covered entity need to meet the requirements of Sec. 164.512(e). If the SSA request does not come within another permissible disclosure, the agency will be treated like anyone else under the rules. The Secretary recognizes that even under current circumstances, professional medical records personnel do not always respond unquestioningly to an agency's request for health information. During the fact finding process, professionals charged with managing provider response to requests for protected health information indicated to us that when an agency's request for protected health information is over broad, the medical records professional will contact the agency and negotiate a more limited request. In balancing the interests of individuals against the need of governmental entities to receive protected health information, we think that applying the minimum necessary standard is appropriate and that covered entities should be responsible for ensuring that they disclose only that protected health information that is necessary to achieve the purpose for which the information is sought. Comment: In a similar vein, one commenter expressed concern that the proposed rule would adversely affect the informal administrative process usually followed in processing workers' compensation claims. Using formal discovery is not always possible, because some programs do not permit it. The commenter urged that the final rule must permit administrative agencies, employers, and workers' compensation carriers to use less formal means to obtain relevant medical evidence while the matter is pending before the agency. This commenter asked that the rule be revised to permit covered entities to disclose protected health information without authorization for purposes of federal or state benefits determinations at all levels of processing, from the initial application through continuing disability reviews. Response: If the disclosure is required by a law relating to workers' compensation, a covered entity may disclose protected health information as authorized by and to the extent necessary to comply with that law under Sec. 164.512(l). If the request for protected health information in connection with a workers' compensation claim is part of an administrative proceeding, a covered entity must meet the requirements set forth in Sec. 164.512(e), and discussed above, before disclosing the information. As noted, one permissible manner by which a covered entity may disclose protected health information under Sec. 164.512(e) is if the party seeking the disclosure makes reasonable efforts to provide notice to the individual as required by this provision. Under this method, the less formal process noted by the commenter would not be disturbed. Covered entity may disclose protected health information in response to other types of requests only as permitted by this regulation. Section 164.512(f)--Disclosures for Law Enforcement Purposes General Comments on Proposed Sec. 164.510(f) Comment: Some commenters argued that current law enforcement use of protected health information was legitimate and important. These commenters cited examples of investigations and prosecutions for which protected health information is needed, from white collar insurance fraud to violent assault, to provide incriminating evidence or to exonerate a suspect, to determine what charges are warranted and for bail decisions. For example, one commenter argued that disclosure of protected health information for law enforcement purposes should be exempt from the rule, because the proposed regulation would hamper Drug Enforcement Administration investigations. A few commenters argued that effective law enforcement requires early access to as much information as possible, to rule out suspects, assess severity of criminal acts, and for other purposes. A few commenters noted the difficulties criminal investigators and prosecutors face when fighting complex criminal schemes. In general, these commenters argued that all disclosures of protected health information to law enforcement should be allowed, or for elimination of the process requirements proposed in Sec. 164.510(f)(1). Response: The importance and legitimacy of law enforcement activities are beyond question, and they are not at issue in this regulation. We permit disclosure of protected health information to law enforcement officials without authorization in some situations precisely because of the importance of these activities to public safety. At the same time, individuals' privacy interests also are important and legitimate. As with all the other disclosures of protected health information permitted under this regulation, the rules we impose attempt to balance competing and legitimate interests. Comment: Law enforcement representatives stated that law enforcement agencies had a good track record of protecting patient privacy and that additional restrictions on their access and use of information were not warranted. Some commenters argued that no new limitations on law enforcement access to protected health information were necessary, because sufficient safeguards exist in state and federal laws to prevent inappropriate disclosure of protected health information by law enforcement. Response: Disclosure of protected health information by law enforcement is not at issue in this regulation. Law enforcement access to protected health information in the first instance, absent any re- disclosure by law enforcement, impinges on individuals' privacy interests and must therefore be justified by a public purpose that outweighs individuals' privacy interests. We do not agree that sufficient safeguards already exist in this area. We are not aware of, and the comments did [[Page 82679]] not provide, evidence of a minimum set of protections for individuals relating to access by law enforcement to their protected health information. Federal and state laws in this area vary considerably, as they do for other areas addressed in this final rule. The need for standards in this area is no less critical than in the other areas addressed by this rule. Comment: Many commenters argued that no disclosures of protected health information should be made to law enforcement (absent authorization) without a warrant issued by a judicial officer after a finding of probable cause. Others argued that a warrant or subpoena should be required prior to disclosure of protected health information unless the disclosure is for the purposes of identifying a suspect, fugitive, material witness, or missing persons, as described in proposed Sec. 164.510(f)(2). Some commenters argued that judicial review prior to release of protected health information to law enforcement should be required absent the exigent and urgent circumstances identified in the NPRM in Sec. 164.510(f)(3) and (5), or absent ``a compelling need'' or similar circumstances. Response: In the final rule, we attempt to match the level of procedural protection for privacy required by this rule with the nature of the law enforcement need for access, the existence of other procedural protections, and individuals' privacy interests. Where other rules already impose procedural protections, this rule generally relies on those protections rather than imposing new ones. Thus, where access to protected health information is granted after review by an independent judicial officer (such as a court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer), no further requirements are necessary. Similarly, because information disclosed to a grand jury is vital to law enforcement purposes and is covered by secrecy protection, this rule allows disclosure with no further process. We set somewhat stricter standards for disclosure of protected health information pursuant to administrative process, such as administrative subpoenas, summonses, and civil or authorized investigative demands. In these cases, the level of existing procedural protections is lower than for judicially-approved or grand jury disclosures. We therefore require a greater showing, specifically, the three-part test described in Sec. 164.512(f)(1)(ii), before the covered entity is permitted to release protected health information. Where the information to be disclosed is about the victim of a crime, privacy interests are heightened and we require the victim's agreement prior to disclosure in most instances. In the limited circumstances where law enforcement interests are heightened, we allow disclosure of protected health information without prior legal process or agreement, but we impose procedural protections such as limits on the information that may lawfully be disclosed, limits on the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures. For example, in some cases law enforcement officials may seek limited but focused information needed to obtain a warrant. A witness to a shooting may know the time of the incident and the fact that the perpetrator was shot in the left arm, but not the identity of the perpetrator. Law enforcement would then have a legitimate need to ask local emergency rooms whether anyone had presented with a bullet wound to the left arm near the time of the incident. Law enforcement may not have sufficient information to obtain a warrant, but instead would be seeking such information. In such cases, when only limited identifying information is disclosed and the purpose is solely to ascertain the identity of a person, the invasion of privacy would be outweighed by the public interest. For such circumstances, we allow disclosure of protected health information in response to a law enforcement inquiry where law enforcement is seeking to identify a suspect, fugitive, material witness, or missing person, but allow only disclosure of a limited list of information. Similarly, it is in the public interest to allow covered entities to take appropriate steps to protect the integrity and safety of their operations. Therefore, we permit covered entities on their own initiative to disclose to law enforcement officials protected health information for this purpose. However, we limit such disclosures to protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. We shape the rule's provisions with respect to law enforcement according to the limited scope of our regulatory authority under HIPAA, which applies only to the covered entities and not to law enforcement officials. We believe the rule sets the correct standards for when an exception to the rule of non-disclosure is appropriate for law enforcement purposes. There may be advantages, however, to legislation that applies the appropriate standards directly to judicial officers, prosecutors in grand juries, and to those making administrative or other requests for protected health information, rather than to covered entities. These advantages could include measures to hold officials accountable if they seek or receive protected health information contrary to the legal standard. In Congressional consideration of law enforcement access, there have also been useful discussions of other topics, such as limits on re-use of protected health information gathered in the course of health oversight activities. The limitations on our regulatory authority provide additional reason to support comprehensive medical privacy legislation. Comment: A few commenters cited existing sanctions for law enforcement officials who violate the rights of individuals in obtaining evidence, ranging from suppression of that evidence to monetary penalties, and argued that such sanctions are sufficient to protect patients' privacy interests. Response: After-the-fact sanctions are important, but they are effective only when coupled with laws that establish the ground rules for appropriate behavior. That is, a sanction applies only where some other rule has been violated. This regulation sets such basic ground rules. Further, under the HIPAA statutory authority, we cannot impose sanctions on law enforcement officials or require suppression of evidence. We must therefore rely on rules that regulate disclosure of protected health information by covered entities in the first instance. Comment: Several commenters argued that disclosure of protected health information under Sec. 164.510(f) should be mandatory, not just permitted. Others argued that we should mandate disclosure of protected health information in response to Inspector General subpoenas. A few commenters argued that we should require all covered entities to include disclosure of protected health information to law enforcement in their required notice of privacy practices. Response: The purpose of this regulation is to protect individuals' privacy interests, consistent with other important public activities. Other laws set the rules governing those public activities, including when health information is necessary for their effective operation. See discussion of Sec. 164.512(a). [[Page 82680]] Comment: Some commenters questioned whether the Secretary had statutory authority to directly or indirectly impose new procedural or substantive requirements on otherwise lawful legal process issued under existing federal and state rules. They argued that, while the provisions are imposed on ``covered entities,'' the rule would result in law enforcement officials being compelled to modify current practices to harmonize them with the requirements this rule imposes on covered entities. A number of state law enforcement agencies argued that the rule would place new burdens on state administrative subpoenas and requests that are intrusive in state functions. At least one commenter argued that the requirement for prior process places unreasonable restrictions on the right of the states to regulate law enforcement activities. Response: This rule regulates the ability of health care clearinghouses, health plans, and covered health care providers to use and disclose health information. It does not regulate the behavior of law enforcement officials or the courts, nor does it prevent states from regulating law enforcement officials. All regulations have some effects on entities that are not directly regulated. We have considered those effects in this instance and have determined that the provisions of the rule are necessary to protect the privacy of individuals. Comment: One commenter argued that state licensing boards should be exempt from restrictions placed on law enforcement officials, because state licensing and law enforcement are different activities. Response: Each state's law determines what authorities are granted to state licensing boards. Because state laws differ in this regard, we cannot make a blanket determination that state licensing officials are or are not law enforcement officials under this regulation. We note, however, that the oversight of licensed providers generally is included as a health oversight activity at Sec. 164.512(d). Relationship to Existing Rules and Practices Comment: Many commenters expressed concern that the proposed rule would have expanded current law enforcement access to protected health information. Many commenters said that the NPRM would have weakened their current privacy practices with respect to law enforcement access to health records. For example, some of the commenters arguing that a warrant or subpoena should be required prior to disclosure of protected health information unless the disclosure is for the purposes of identifying a suspect, fugitive, material witness, or missing persons, did so because they believed that such a rule would be consistent with current state law practices. Response: This regulation does not expand current law enforcement access to protected health information. We do not mandate any disclosures of protected health information to law enforcement officials, nor do we make lawful any disclosures of protected health information which are unlawful under other rules and regulations. Similarly, this regulation does not describe a set of ``best practices.'' Nothing in this regulation should cause a covered entity to change practices that are more protective of privacy than the floor of protections provided in this regulation. This regulation sets forth the minimum practices which a covered entity must undertake in order to avoid sanctions under the HIPAA. We expect and encourage covered entities to exercise their judgment and professional ethics in using and disclosing health information, and to continue any current practices that provide privacy protections greater than those mandated in this regulation. Comment: Many commenters asserted that, today, consent or judicial review always is required prior to release of protected health information to law enforcement; therefore, they said that the proposed rule would have lessened existing privacy protections. Response: In many situations today, law enforcement officials lawfully obtain health information absent any prior legal process and absent exigent circumstances. The comments we received on the NPRM, both from law enforcement and consumer advocacy groups, describe many such situations. Moreover, this rule sets forth minimum privacy protections and does not preempt more stringent, pre-existing standards. Comment: Some commenters argued that health records should be entitled to at least as much protection as cable subscription records and video rental records. Response: We agree. The Secretary, in presenting her initial recommendations on the protection of health information to the Congress in 1997, stated that, ``When Congress looked at the privacy threats to our credit records, our video records, and our motor vehicle records, it acted quickly to protect them. It is time to do the same with our health care records' (Testimony of Donna E. Shalala, Secretary, U. S. Department of Health and Human Services, before the Senate Committee on Labor & Human Resources, September 11, 1997). However, the limited jurisdiction conferred on us by the HIPAA does not allow us to impose such restrictions on law enforcement officials or the courts. Comment: At least one commenter argued that the regulation should allow current routine uses for law enforcement under the Privacy Act. Response: This issue is discussed in the ``Relationship to Other Federal Laws'' preamble discussion of the Privacy Act. Comment: A few commenters expressed concern that people will 8be less likely to provide protected health information for public health purposes if they fear the information could be used for law enforcement purposes. Response: This regulation does not affect law enforcement access to records held by public health authorities, nor does it expand current law enforcement access to records held by covered entities. These agencies are for the most part not covered entities under HIPAA. Therefore, this regulation should not reduce current cooperation with public health efforts. Relationship to Other Provisions of This Regulation Comment: Several commenters pointed out an unintended interaction between proposed Secs. 164.510(f) and 164.510(n). Because proposed Sec. 164.510(n), allowing disclosures mandated by other laws, applied only if the disclosure would not fall into one of the categories of disclosures provided for in Sec. 164.510 (b)-(m), disclosures of protected health information mandated for law enforcement purposes by other law would have been preempted. Response: We agree, and in the final rule we address this unintended interaction. It is not our intent to preempt these laws. To clarify the interaction between these provisions, in the final rule we have specifically added language to the paragraph addressing disclosures for law enforcement that permits covered entities to comply with legal mandates, and have included a specific cross reference in the provision of the final rule that permits covered entities to make other disclosures required by law. See Sec. 164.512(a). Comment: Several commenters argued that, when a victim of abuse or of a crime has requested restrictions on disclosure, the restrictions should be communicated to any law enforcement officials who receive that protected health information. Response: We do not have the authority to regulate law enforcement [[Page 82681]] use and disclosure of protected health information, and therefore we could not enforce any such restrictions communicated to law enforcement officials. For this reason, we determined that the benefits to be gained from requiring communication of restrictions would not outweigh the burdens such a requirement would place on covered entities. We expect that professional ethics will guide health care providers' communications to law enforcement officials about the welfare of victims of abuse or other crime. Comment: Some commenters argued against imposing the ``minimum necessary'' requirement on disclosure of protected health information to law enforcement officials. Some law enforcement commenters expressed concern that the ``minimum necessary'' test could be ``manipulated'' by a covered entity that wished to withhold relevant evidence. A number of covered entities complained that they were ill-equipped to substitute their judgment for that of law enforcement for what was the minimum amount necessary, and they also argued that the burden of determining the ``minimum necessary'information should be transferred to law enforcement agencies. Some commenters argued that imposing such ``uninformed'' discretion on covered entities would delay or thwart legitimate investigations, and would result in withholding information that might exculpate an individual or might be necessary to present a defendant's case. One comment suggested that covered entities have ``immunity'' for providing too much information to law enforcement. Response: The ``minimum necessary'' standard is discussed at Sec. 164.514. Comment: A few commenters asked us to clarify when a disclosure is for a ``Judicial or Administrative Proceeding'' and when it is for ``Law Enforcement'' purposes. Response: In the final rule we have clarified that Sec. 164.512(e) relating to disclosures for judicial or administrative proceedings does not supersede the authority of a covered entity to make disclosures under other provisions of the rule. Use of Protected Health Information After Disclosure to Law Enforcement Comment: Many commenters recommended that we restrict law enforcement officials' re-use and re-disclosure of protected health information. Some commenters asked us to impose such restrictions, while other commenters noted that the need for such restrictions underscores the need for legislation. Another argued for judicial review prior to release of protected health information to law enforcement because this regulation cannot limit further uses or disclosures of protected health information once it is in the hands of law enforcement agencies. Response: We agree that there are advantages to legislation that imposes appropriate restrictions directly on the re-use and re- disclosure of protected health information by many persons who may lawfully receive protected health information under this regulation, but whom we cannot regulate under the HIPAA legislative authority, including law enforcement agencies. Comment: A few commenters expressed concern that protected health information about persons who are not suspects may be used in court and thereby become public knowledge. These commenters urged us to take steps to minimize or prevent such protected health information from becoming part of the public record. Response: We agree that individuals should be protected from unnecessary public disclosure of health information about them. However, we do not have the statutory authority in this regulation to require courts to impose protective orders. To the extent possible within the HIPAA statutory authority, we address this problem in Sec. 164.512(e), Judicial and Administrative Proceedings. Comment: Some commenters argued that evidence obtained in violation of the regulation should be inadmissible at trial. Response: In this regulation, we do not have the authority to regulate the courts. We can neither require nor prohibit courts from excluding evidence obtain in violation of this regulation. Comments Regarding Proposed Sec. 164.510(f)(1), Disclosures to Law Enforcement Pursuant to Process Comments Supporting or Opposing a Requirement of Consent or Court Order Comment: Some commenters argued that a rule that required a court order for every instance that law enforcement sought protected health information would impose substantial financial and administrative burdens on federal and state law enforcement and courts. Other commenters argued that imposing a new requirement of prior judicial process would compromise the time-sensitive nature of many investigations. Response: We do not impose such a requirement in this regulation. Comment: Many commenters argued that proposed Sec. 164.510(f)(1) would have given law enforcement officials the choice of obtaining records with or without a court order, and that law enforcement ``will choose the least restrictive means of obtaining records, those that do not require review by a judge or a prosecutor.'' Several commenters argued that this provision would have provided the illusion of barriers--but no real barriers--to law enforcement access to protected health information. A few argued that this provision would have allowed law enforcement to regulate itself. Response: We agree with commenters that, in some cases, a law enforcement official may have discretion to seek health information under more than one legal avenue. Allowing a choice in these circumstances does not mean an absence of real limits. Where law enforcement officials choose to obtain protected health information through administrative process, they must meet the three-part test required by this regulation. Comment: At least one commenter argued for judicial review prior to disclosure of health information because the rule will become the ``de facto'' standard for release of protected health information. Response: We do not intend for this regulation to become the ``de facto'' standard for release of protected health information. Nothing in this regulation limits the ability of states and other governmental authorities to impose stricter requirements on law enforcement access to protected health information. Similarly, we do not limit the ability of covered entities to adopt stricter policies for disclosure of protected health information not mandated by other laws. Comment: A few commenters expressed concern that proposed Sec. 164.510(f)(1) would have overburdened the judicial system. Response: The comments did not provide any factual basis for evaluating this concern. Comment: Some commenters argued that, while a court order should be required, the standard of proof should be something other than ``probable cause.'' For example, one commenter argued that the court should apply the three-part test proposed in Sec. 164.510(f)(1)(i)(C). Another commenter suggested a three-part test: The information is necessary, the need cannot be met with non-identifiable information, and the need of law enforcement outweighs the privacy interest of the patient. Some commenters suggested that we impose a ``clear and convincing'' standard. Another suggested that we require clear and convincing evidence that: (1) The [[Page 82682]] information sought is relevant and material to a legitimate criminal investigation; (2) the request is as specific and narrow as is reasonably practicable; (3) de-identified information, for example coded records, could not reasonably be used; (4) on balance, the need for the information outweighs the potential harm to the individuals and to patient care generally; and (5) safeguards appropriate to the situation have been considered and imposed. This comment also suggested the following as such appropriate safeguard: granting only the right to inspect and take notes; allowing copying of only certain portions of records; prohibiting removing records from the premises; placing limits on subsequent use and disclosure; and requiring return or destruction of the information at the earliest possible time.) Others said the court order should impose a ``minimum necessary'' standard. Response: We have not revised the regulation in response to comments suggesting that we impose additional standards relating to disclosures to comply with court orders. Unlike administrative subpoenas, where there is no independent review of the order, court orders are issued by an independent judicial officer, and we believe that covered entities should be permitted under this rule to comply with them. Court orders are issued in a wide variety of cases, and we do not know what hardships might arise by imposing standards that would require judicial officers to make specific findings related to privacy. Comment: At least one commenter argued that the proposed rule would have placed too much burden on covered entities to evaluate whether to release information in response to a court order. This comment suggested that the regulation allow disclosure to attorneys for assessment of what the covered entity should release in response to a court order. Response: This regulation does not change current requirements on or rights of covered entities with respect to court orders for the release of health information. Where such disclosures are required today, they continue to be required under this rule. Where other law allows a covered entity to challenge a court order today, this rule will not reduce the ability of a covered entity to mount such a challenge. Under Sec. 164.514, a covered entity will be permitted to rely on the face of a court order to meet this rule's requirements for verification of the legal authority of the request for information. A covered entity may disclose protected health information to its attorneys as needed, to perform health care operations, including to assess the covered entity's appropriate response to court orders. See definition of ``health care operations'' under Sec. 164.501. Comment: Many commenters argued that the regulation should prohibit disclosures of protected health information to law enforcement absent patient consent. Response: We disagree with the comment. Requiring consent prior to any release of protected health information to a law enforcement official would unduly jeopardize public safety. Law enforcement officials need protected health information for their investigations in a variety of circumstances. The medical condition of a defendant could be relevant to whether a crime was committed, or to the seriousness of a crime. The medical condition of a witness could be relevant to the reliability of that witness. Health information may be needed from emergency rooms to locate a fleeing prison escapee or criminal suspect who was injured and is believed to have stopped to seek medical care. These and other uses of medical information are in the public interest. Requiring the authorization of the subject prior to disclosure could make apprehension or conviction of some criminals difficult or impossible. In many instances, it would not be possible to obtain such consent, for example because the subject of the information could not be located in time (or at all). In other instances, the covered entity may not wish to undertake the burden of obtaining the consent. Rather than an across-the-board consent requirement, to protect individuals' privacy interests while also promoting public safety, we impose a set of procedural safeguards (described in more detail elsewhere in this regulation) that covered entities must ensure are met before disclosing protected health information to law enforcement officials. In most instances, such procedural safeguards consist of some prior legal process, such as a warrant, grand jury subpoena, or an administrative subpoena that meets a three-part test for protecting privacy interests. When the information to be disclosed is about the victim of a crime, privacy interests are heightened and we require the victim's agreement prior to disclosure in most instances. In the limited circumstances where law enforcement interests are heightened and we allow disclosure of protected health information without prior legal process or agreement, the procedural protections include limits on the information that may lawfully be disclosed, the circumstances in which the information may be disclosed, and requirements for verifying the identity and authority of the person requesting the disclosures. We also allow disclosure of protected health information to law enforcement officials without consent when other law mandates the disclosures. When such other law exists, another public entity has made the determination that law enforcement interests outweigh the individual's privacy interests in the situations described in that other law, and we do not upset that determination in this regulation. Comment: Several commenters recommended requiring that individuals receive notice and opportunity to contest the validity of legal process under which their protected health information will be disclosed, prior to disclosure of their records to law enforcement. Some of these commenters recommended adding this requirement to provisions proposed in the NPRM, while others recommended establishing this requirement as part of a new requirement for a judicial warrant prior to all disclosures of protected health information to law enforcement. At least one of these commenters proposed an exception to such a notice requirement where notice might lead to destruction of the records. Response: Above we discuss the reasons why we believe it is inappropriate to require consent or a judicial order prior to any release of protected health information to law enforcement. Many of those reasons apply here, and they lead us not to impose such a notice requirement. Comment: A few commenters believed that the proposed requirements in Sec. 164.510(f)(1) would hinder investigations under the Civil Rights for Institutionalized Persons Act (CRIPA). Response: We did not intend that provision to apply to investigations under CRIPA, and we clarify in the final rule that covered entities may disclose protected health information for such investigations under the health oversight provisions of this regulation (see Sec. 164.512(d) for further detail). Comments Suggesting Changes to the Proposed Three-Part Test Comment: Many commenters argued for changes to the proposed three- part test that would make the test more difficult to meet. Many of these urged greater, but unspecified, restrictions. Others argued that the proposed test was too stringent, and that it would have hampered criminal investigations and prosecutions. Some argued that it [[Page 82683]] was too difficult for law enforcement to be specific at the beginning of an investigation. Some argued that there was no need to change current practices, and they asked for elimination of the three-part test because it was ``more stringent'' than current practices and would make protected health information more difficult to obtain for law enforcement purposes. These commenters urged elimination of the three- part test so that administrative bodies could continue current practices without additional restrictions. Some of these argued for elimination of the three-part test for all administrative subpoenas; others argued for elimination of the three-part test for administrative subpoenas from various Inspectors General offices. A few commenters argued that the provisions in proposed Sec. 164.510(f)(1) should be eliminated because they would have burdened criminal investigations and prosecutions but would have served ``no useful public purpose.'' Response: We designed the proposed three-part test to require proof that the government's interest in the health information was sufficiently important and sufficiently focused to overcome the individual's privacy interest. If the test were weakened or eliminated, the individual's privacy interest would be insufficiently protected. At the same time, if the test were significantly more difficult to meet, law enforcement's ability to protect the public interest could be unduly compromised. Comment: At least one comment argued that, in the absence of a judicial order, protected health information should be released only pursuant to specific statutory authority. Response: It is impossible to predict all the facts and circumstances, for today and into the future, in which law enforcement's interest in health information outweigh individuals' privacy interests. Recognizing this, states and other governments have not acted to list all the instances in which health information should be available to law enforcement officials. Rather, they specify some such instances, and rely on statutory, constitutional, and other limitations to place boundaries on the activities of law enforcement officials. Since the statutory authority to which the commenter refers does not often exist, many uses of protected health information that are in the public interest (described above in more detail) would not be possible under such an approach. Comment: At least one commenter, an administrative agency, expressed concern that the proposed rule would have required its subpoenas to be approved by a judicial officer. Response: This rule does not require judicial approval of administrative subpoenas. Administrative agencies can avoid the need for judicial review under this regulation by issuing subpoenas for protected health information only where the three-part test has been met. Comment: Some commenters suggested alternative requirements for law enforcement access to protected health information. A few suggested replacing the three-part test with a requirement that the request for protected health information from law enforcement be in writing and signed by a supervisory official, and/or that the request ``provide enough information about their needs to allow application of the minimum purpose rule.'' Response: A rule requiring only that the request for information be in writing and signed fails to impose appropriate substantive standards for release of health information. A rule requiring only sufficient information for the covered entity to make a ``minimum necessary'' determination would leave these decisions entirely to covered entities' discretion. We believe that protection of individuals' privacy interests must start with a minimum floor of protections applicable to all. We believe that while covered entities may be free to provide additional protections (within the limits of the law), they should not have the ability to allow unjustified access to health information. Comment: Some commenters argued that the requirement for an unspecified ``finding'' for a court order should be removed from the proposed rule, because it would have been confusing and would have provided no guidance to a court as to what finding would be sufficient. Response: We agree that the requirement would have been confusing, and we delete this language from the final regulation. Comment: A few commenters argued that the proposed three-part test should not be applied where existing federal or state law established a standard for issuing administrative process. Response: It is the content of such a standard, not its mere existence, that determines whether the standard strikes an appropriate balance between individuals' privacy interests and the public interest in effective law enforcement activities. We assume that current authorities to issue administrative subpoena are all subject to some standards. When an existing standard provides at least as much protection as the three-part test imposed by this regulation, the existing standard is not disturbed by this rule. When, however, an existing standard for issuing administrative process provides less protection, this rule imposes new requirements. Comment: Some covered entities said that they should not have been asked to determine whether the proposed three-part test has been met. Some argued that they were ill-equipped to make a judgment on whether an administrative subpoena actually met the three-part test, or that it was unfair to place the burden of making such determinations on covered entities. Some argued that the burden should have been on law enforcement, and that it was inappropriate to shift the burden to covered entities. Other commenters argued that the proposal would have given too much discretion to the record holders to withhold evidence without having sufficient expertise or information on which to make such judgments. At least one comment said that this aspect of the proposal would have caused delay and expense in the detection and prevention of health care fraud. The commenter believed that this delay and expense could be prevented by shifting to law enforcement and health care oversight the responsibility to determine whether standards have been met. At least one commenter recommended eliminating the three-part test for disclosures of protected health information by small providers. Some commenters argued that allowing covered entities to rely on law enforcement representation that the three-part test has been met would render the test meaningless. Response: Because the statute does not bring law enforcement officials within the scope of this regulation, the rule must rely on covered entities to implement standards that protect individuals' privacy interests, including the three-part test for disclosure pursuant to administrative subpoenas. To reduce the burden on covered entities, we do not require a covered entity to second-guess representations by law enforcement officials that the three part test has been met. Rather, we allow covered entities to disclose protected health information to law enforcement when the subpoena or other administrative request indicates on its face that the three-part test has been met, or where a separate document so indicates. Because we allow such reliance, we do not believe that it is necessary or appropriate to reduce privacy protections for individuals who obtain care from small health care providers. [[Page 82684]] Comment: Some commenters ask for modification of the three-part test to include a balancing of the interests of law enforcement and the privacy of the individual, pointing to such provisions in the Leahy- Kennedy bill. Response: We agree with the comment that the balancing of these interests is important in this circumstance. We designed the regulation's three-part test to accomplish that result. Comment: At least one commenter recommended that ``relevant and material'' be changed to ``relevant,'' because ``relevant'' is a term at the core of civil discovery rules and is thus well understood, and because it would be difficult to determine whether information is ``material'' prior to seeing the documents. As an alternative, this commenter suggested explaining what we meant by ``material.'' Response: Like the term ``relevant,'' the term ``material'' is commonly used in legal standards and well understood. Comment: At least one commenter suggested deleting the phrase ``reasonably practical'' from the second prong of the test, because, the commenter believed, it was not clear who would decide what is ``reasonably practical'' if the law enforcement agency and covered entity disagreed. Response: We allow covered entities to rely on a representation on the face of the subpoena that the three-part test, including the ``reasonably practical'' criteria, is met. If a covered entity believes that a subpoena is not valid, it may challenge that subpoena in court just as it may challenge any subpoena that today it believes is not lawfully issued. This is true regardless of the specific test that a subpoena must meet, and is not a function of the ``reasonably practical'' criteria. Comment: Some commenters requested elimination of the third prong of the test. One of these commenters suggested that the regulation should specify when de-identified information could not be used. Another recommended deleting the phrase ``could not reasonably be used'' from the third prong of the test, because the commenter believed it was not clear who would determine whether de-identified information ``could reasonably be used'' if the law enforcement agency and covered entity disagreed. Response: We cannot anticipate in regulation all the facts and circumstances surrounding every law enforcement activity today, or in the future as technologies change. Such a rigid approach could not account for the variety of situations faced by covered entities and law enforcement officials, and would become obsolete over time. Thus, we believe it would not be appropriate to specify when de-identified information can or cannot be used to meet legitimate law enforcement needs. In the final rule, we allow the covered entity to rely on a representation on the face of the subpoena (or similar document) that the three-part test, including the ``could not reasonably be used'' criteria, is met. If a covered entity believes that a subpoena is not valid, it may challenge that subpoena in court just as it may challenge today any subpoena that it believes is not lawfully issued. This is true regardless of the specific test that a subpoena must meet, and it is not a function of the ``could not reasonably be used'' criteria. Comments Regarding Proposed Sec. 164.510(f)(2), Limited Information for Identifying Purposes Comment: A number of commenters recommended deletion of this provision. These commenters argued that the legal process requirements in proposed Sec. 164.510(f)(1) should apply when protected health information is disclosed for identification purposes. At least one privacy group recommended that if the provision were not eliminated in its entirety, ``suspects'' should be removed from the list of individuals whose protected health information may be disclosed for identifying purposes. Many commenters expressed concern that this provision would allow compilation of large data bases of health information that could be use for purposes beyond those specified in this provision. Response: We retain this provision in the final rule. We continue to believe that identifying fugitives, material witnesses, missing persons, and suspects is an important national priority and that allowing disclosure of limited identifying information for this purpose is in the public interest. Eliminating this provision--or eliminating suspects from the list of types of individuals about whom disclosure of protected health information to law enforcement is allowed--would impede law enforcement agencies'' ability to apprehend fugitives and suspects and to identify material witnesses and missing persons. As a result, criminals could remain at large for longer periods of time, thereby posing a threat to public safety, and missing persons could be more difficult to locate and thus endangered. However, as described above and in the following paragraphs, we make significant changes to this provision, to narrow the information that may be disclosed and make clear the limited purpose of the provision. For example, the proposed rule did not state explicitly whether covered entities would have been allowed to initiate--in the absence of a request from law enforcement--disclosure of protected health information to law enforcement officials for the purpose of identifying a suspect, fugitive, material witness or missing person. In the final rule, we clarify that covered entities may disclose protected health information for identifying purposes only in response to a request by a law enforcement official or agency. A ``request by a law enforcement official or agency'' is not limited to direct requests, but also includes oral or written requests by individuals acting on behalf of a law enforcement agency, such as a media organization broadcasting a request for the public's assistance in identifying a suspect on the evening news. It includes ``Wanted'' posters, public announcements, and similar requests to the general public for assistance in locating suspects or fugitives. Comment: A few commenters recommended additional restrictions on disclosure of protected health information for identification purposes. For example, one commenter recommended that the provision should either (1) require that the information to be disclosed for identifying purposes be relevant and material to a legitimate law enforcement inquiry and that the request be as specific and narrowly drawn as possible; or (2) limit disclosures to circumstances in which (a) a crime of violence has occurred and the perpetrator is at large, (b) the perpetrator received an injury during the commission of the crime, (c) the inquiry states with specificity the type of injury received and the time period during which treatment would have been provided, and (d) ``probable cause'' exists to believe the perpetrator received treatment from the provider. Response: We do not agree that these additional restrictions are appropriate for disclosures of limited identifying information for purposes of locating or identifying suspects, fugitives, material witnesses or missing persons. The purpose of this provision is to permit law enforcement to obtain limited time-sensitive information without the process requirements applicable to disclosures for other purposes. Only limited information may be disclosed under this provision, and disclosure is permitted only in limited circumstances. We believe that these [[Page 82685]] safeguards are sufficient, and that creating additional restrictions would undermine the purpose of the provision and that it would hinder law enforcement's ability to obtain essential, time-sensitive information. Comment: A number of law enforcement agencies recommended that the provision in the proposed rule be broadened to permit disclosure to law enforcement officials for the purpose of ``locating'' as well as ``identifying'' a suspect, fugitive, material witness or missing person. Response: We agree with the comment and have changed the provision in the final rule. We believe that locating suspects, fugitives, material witnesses and missing persons is an important public policy priority, and that it can be critical to identifying these individuals. Further, efforts to locate suspects, fugitives, material witnesses, and missing persons can be at least as time-sensitive as identifying such individuals. Comment: Several law enforcement agencies requested that the provision be broadened to permit disclosure of additional pieces of identifying information, such as ABO blood type and Rh factor, DNA information, dental records, fingerprints, and/or body fluid and tissue typing, samples and analysis. These commenters stated that additional identifying information may be necessary to permit identification of suspects, fugitives, material witnesses or missing persons. On the other hand, privacy and consumer advocates, as well as many individuals, were concerned that this section would allow all computerized medical records to be stored in a large law enforcement data base that could be scanned for matches of blood, DNA, or other individually identifiable information. Response: The final rule seeks to strike a balance in protecting privacy and facilitating legitimate law enforcement inquiries. Specifically, we have broadened the NPRM's list of data elements that may be disclosed pursuant to this section, to include disclosure of ABO blood type and rh factor for the purpose of identifying or locating suspects, fugitives, material witnesses or missing persons. We agree with the commenters that these pieces of information are important to law enforcement investigations and are no more invasive of privacy than the other pieces of protected health information that may be disclosed under this provision. However, as explained below, protected health information associated with DNA and DNA analysis; dental records; or typing, samples or analyses of tissues and bodily fluids other than blood (e.g., saliva) cannot be disclosed for the location and identification purposes described in this section. Allowing disclosure of this information is not necessary to accomplish the purpose of this provision, and would be substantially more intrusive into individuals' privacy. In addition, we understand commenters' concern about the potential for such information to be compiled in law enforcement data bases. Allowing disclosure of such information could make individuals reluctant to seek care out of fear that health information about them could be compiled in such a data base. Comment: Many commenters argued that proposed Sec. 164.510(f)(2) should be deleted because it would permit law enforcement to engage in ``fishing expeditions'' or to create large data bases that could be searched for suspects and others. Response: Some of this fear may have stemmed from the inclusion of the phrase ``other distinguishing characteristic''--which could be construed broadly--in the list of items that could have been disclosed pursuant to this section. In the final rule, we delete the phrase ``other distinguishing characteristic'' from the list of items that can be disclosed pursuant to Sec. 164.512(f)(2). In its place, we allow disclosure of a description of distinguishing physical characteristics, such as scars, tattoos, height, weight, gender, race, hair and eye color, and the presence or absence of facial hair such as a beard or moustache. We believe that such a change, in addition to the changes described in the paragraph above, responds to commenters' concern that the NPRM would have allowed creation of a government data base of personal identifying information. Further, this modification provides additional guidance to covered entities regarding the type of information that may be disclosed under this provision. Comment: At least one commenter recommended removing social security numbers (SSNs) from the list of items that may be disclosed pursuant to proposed Sec. 164.510(f)(2). The commenter was concerned that including SSNs in the (f)(2) list would cause law enforcement agencies to demand that providers collect SSNs. In addition, the commenter was concerned that allowing disclosure of SSNs could lead to theft of identity by unscrupulous persons in policy departments and health care organizations. Response: We disagree. We believe that on balance, the potential benefits from use of SSNs for this purpose outweigh the potential privacy intrusion from such use of SSNs. For example, SSNs can help law enforcement officials identify suspects are using aliases. Comments Regarding Proposed Sec. 164.510(f)(3), Information About a Victim of Crime or Abuse Comment: Some law enforcement organizations expressed concern that proposed Sec. 164.510(f)(3) could inhibit compliance with state mandatory reporting laws. Response: We recognize that the NPRM could have preempted such state mandatory reporting laws, due to the combined impact of proposed Secs. 164.510(m) and 164.510(f). As explained in detail in Sec. 164.512(a) above, we did not intend that result, and we modify the final rule to make clear that this rule does not preempt state mandatory reporting laws. Comment: Many commenters, including consumer and provider groups, expressed concern that allowing covered entities to disclose protected health information without authorization to law enforcement regarding victims of crime, abuse, and other harm could endanger victims, particularly victims of domestic violence, who could suffer further abuse if their abuser learned that the information had been reported. Provider groups also expressed concern about undermining provider- patient relationships. Some law enforcement representatives noted that in many cases, health care providers' voluntary reports of abuse or harm can be critical for the successful prosecution of violent crime. They argued, that by precluding providers from voluntarily reporting to law enforcement evidence of potential abuse, the proposed rule could make it more difficult to apprehend and prosecute criminals. Response: We recognize the need for heightened sensitivity to the danger facing victims of crime in general, and victims of domestic abuse or neglect in particular. As discussed above, the final rule includes a new section (Sec. 164.512(c)) establishing strict conditions for disclosure of protected health information about victims of abuse, neglect, and domestic violence. Victims of crime other than abuse, neglect, or domestic violence can also be placed in further danger by disclosure of protected health information relating to the crime. In Sec. 164.512(f)(3) of the final rule, we establish conditions for disclosure of protected health information in these circumstances, and we make significant modifications to the proposed rule's provision for such disclosures. Under the final rule, unless a state or other [[Page 82686]] government authority has enacted a law requiring disclosure of protected health information about a victim to law enforcement officials, in most instances, covered entities must obtain the victim's agreement before disclosing such information to law enforcement officials. This requirement gives victims control over decision making about their health information where their safety could be at issue, helps promote trust between patients and providers, and is consistent with health care providers' ethical obligation to seek patient authorization whenever possible before disclosing protected health information. At the same time, the rule strikes a balance between protecting victims and providing law enforcement access to information about potential crimes that cause harm to individuals, by waiving the requirement for agreement in two situations. In allowing covered entities to disclose protected health information about a crime victim pursuant to a state or other mandatory reporting law, we defer to other governmental bodies' judgments on when certain public policy objectives are important enough to warrant mandatory disclosure of protected health information to law enforcement. While some mandatory reporting laws are written more broadly than others, we believe that it is neither appropriate nor practicable to distinguish in federal regulations between what we consider overly broad and sufficiently focused mandatory reporting laws. The final rule waives the requirement for agreement if the covered entity is unable to obtain the individual's agreement due to incapacity or other emergency circumstance, and (1) the law enforcement official represents that the information is needed to determine whether a violation of law by a person other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the covered entity determines, in the exercise of professional judgment, that the disclosure is in the individual's best interests. By allowing covered entities, in the exercise of professional judgment, to determine whether such disclosures are in the individual's best interests, the final rule recognizes the importance of the provider-patient relationship. In addition, the final rule allows covered entities to initiate disclosures of protected health information about victims without the victim's permission to law enforcement officials only if such disclosure is required under a state mandatory reporting law. In other circumstances, plans and providers may disclose protected health information only in response to a request from a law enforcement official. We believe that such an approach recognizes the importance of promoting trust between victims and their health care providers. If providers could initiate reports of victim information to law enforcement officials absent a legal reporting mandate, victims may avoid give their providers health information that could facilitate their treatment, or they may avoid seeking treatment completely. Comment: Many commenters believed that access to medical records pursuant to this provision should occur only after judicial review. Others believed that it should occur only with patient consent or after notifying the patient of the disclosure to law enforcement. Similarly, some commenters said that the minimum necessary standard should apply to this provision, and they recommended restrictions on law enforcement agencies' re-use of the information. Response: As discussed above, the final rule generally requires individual agreement as a condition for disclosure of a victim's health information; this requirement provides greater privacy protection and individual control than would a requirement for judicial review. We also discuss above the situations in which this requirement for agreement may be waived, and why that is appropriate. The requirement that covered entities disclose the minimum necessary protected health information consistent with the purpose of the disclosure applies to disclosures of protected health information about victims to law enforcement, unless the disclosure is required by law. (See Sec. 164.514 for more detail on the requirements for minimum necessary use and disclosure of protected health information.) As described above, HIPAA does not provide statutory authority for HHS to regulate law enforcement agencies' re-use of protected health information that they obtain pursuant to this rule. Comment: A few commenters expressed concern that the NPRM would not have required law enforcement agencies' requests for protected health information about victims to be in writing. They believed that written requests could promote clarity in law enforcement requests, as well as greater accountability among law enforcement officials seeking information. Response: We do not impose this requirement in the final rule. We believe that such a requirement would not provide significant new protection for victims and would unduly impede the completion of legitimate law enforcement investigations. Comment: A provider group was concerned that it would be difficult for covered entities to evaluate law enforcement officials' claims that information is needed and that law enforcement activity may be necessary. Some comments from providers and individuals expressed concern that the proposed rule would have provided open-ended access by law enforcement to victims' medical records because of this difficulty in evaluating law enforcement claims of their need for the information. Response: We modify the NPRM in several ways that reduce covered entities' decisionmaking burdens. The final rule clarifies that covered entities may disclose protected health information about a victim of crime where a report is required by state or other law, and it requires the victim's agreement for disclosure in most other instances. The covered entity must make the decision whether to disclose only in limited circumstances: when there is no mandatory reporting law; or when the victim is unable to provide agreement and the law enforcement official represents that: the protected health information is needed to determine whether a violation of law by a person other than the victim has occurred, that the information will not be used against the victim, and that immediate law enforcement activity that depends on such information would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. In these circumstances, we believe it is appropriate to rely on the covered entity, in the exercise of professional judgment, to determine whether the disclosure is in the individual's best interests. Other sections of this rule allow covered entities to reasonably rely on certain representations by law enforcement officials (see Sec. 164.514, regarding verification,) and require disclosure of the minimum necessary protected health information for this purpose. Together, these provisions do not allow open-ended access or place undue responsibility on providers. Comments Regarding Proposed Sec. 164.510(f)(4), Intelligence and National Security Activities In the final rule, we recognize that disclosures for intelligence and national security activities do not always involve [[Page 82687]] law enforcement. Therefore, we delete the provisions of proposed Sec. 164.510(f)(4), and we address disclosures for intelligence and national security activities in Sec. 164.512(k), on uses and disclosures for specialized government functions. Comments and responses on these issues are included below, in the comments for that section. Comments Regarding Proposed Sec. 164.510(f)(5), Health Care Fraud, Crimes on the Premises, and Crimes Witnessed by the Covered Entity's Workforce Comment: Many commenters noted that proposed Sec. 164.510(f)(5)(i), which covered disclosures for investigations and prosecutions of health care fraud, overlapped with proposed Sec. 164.510(c) which covered disclosures for health oversight activities. Response: As discussed more fully in Sec. 164.512(d) of this preamble, above, we agree that proposed Sec. 164.510(f)(5)(i) created confusion because all disclosures covered by that provision were already permitted under proposed Sec. 164.510(c) without prior process. In the final rule, therefore, we delete proposed Sec. 164.510(f)(5)(i). Comment: One commenter was concerned the proposed provision would not have allowed an emergency room physician to report evidence of abuse when the suspected abuse had not been committed on the covered entity's premises. Response: Crimes on the premises are only one type of crime that providers may report to law enforcement officials. The rules for reporting evidence of abuse to law enforcement officials are described in Sec. 164.512(c) of the rule, and described in detail in Sec. 164.512(c) of the preamble. An emergency room physician may report evidence of abuse if the conditions in Sec. 164.512(c) are met, regardless of where the abuse occurred. Comment: One commenter argued that covered entities should be permitted to disclose information that ``indicates the potential existence'' of evidence, not just information that ``constitutes evidence'' of crimes on the premises or crimes witnessed by a member of the covered entity's workforce. Response: We agree that covered entities should not be required to guess correctly whether information will be admitted to court as evidence. For this reason, we include a good-faith standard in this provision. Covered entities may disclose information that it believes in good faith constitutes evidence of a crime on the premises. If the covered entity discloses protected health information in good faith but is wrong in its belief that the information is evidence of a violation of law, the covered entity will not be subject to sanction under this regulation. Section 164.512(g)--Uses and Disclosures About Decedents Coroners and Medical Examiners Comment: We received several comments, for example, from state and county health departments, a private foundation, and a provider organization, in support of the NPRM provision allowing disclosure without authorization to coroners and medical examiners. Response: The final rule retains the NPRM's basic approach to disclosure of coroners and medical examiners. It allows covered entities to disclose protected health information without authorization to coroners and medical examiners, for identification of a deceased person, determining cause of death, or other duties authorized by law. Comment: In the preamble to the NPRM, we said we had considered but rejected the option of requiring covered entities to redact from individuals' medical records any information identifying other persons before disclosing the record to a coroner or medical examiner. We solicited comment on whether health care providers routinely identify other persons specifically in an individual's medical record and if so, whether in the final rule we should require health care providers to redact information about the other person before providing it to a coroner or medical examiner. A few commenters said that medical records typically do not include information about persons other than the patient. One commenter said that patient medical records occasionally reference others such as relatives or employers. These commenters recommended requiring redaction of such information in any report sent to a coroner or medical examiner. On the other hand, other commenters said that redaction should not be required. These commenters generally based their recommendation on the burden and delay associated with redaction. In addition to citing the complexity and time involved in redaction of medical records provided to coroners, one commenter said that health plans and covered health care providers were not trained to determine the identifiable information necessary for coroners and medical examiners to do thorough investigations. Another commenter said that redaction should not be required because coroners and medical examiners needed some additional family information to determine what would be done with the deceased after their post-mortem investigation is completed. Response: We recognize the burden associated with redacting medical records to remove the names of persons other than the patient. In addition, as stated in the preamble to the NPRM, we recognize that there is a limited time period after death within which an autopsy must be conducted. We believe that the delay associated with this burden could make it impossible to conduct a post-mortem investigation within the required time frame. In addition, we agree that health plans and covered health care providers may lack the training necessary to determine the identifiable information necessary for coroners and medical examiners to do thorough investigations. Thus, in the final rule, we do not require health plans or covered providers to redact information about persons other than the patient who may be identified in a patient's medical record before disclosing the record to a coroner or medical examiner. Comment: One commenter said that medical records sent to coroners and medical examiners were considered their work product and thus were not released from their offices to anyone else. The commenter recommended that HHS establish regulations on how to dispose of medical records and that we create a ``no re-release'' statement to ensure that individual privacy is maintained without compromising coroners' or medical examiners' access to protected health information. The organization said that such a policy should apply regardless of whether the investigation was civil or criminal. Response: HIPAA does not provide HHS with statutory authority to regulate coroners' or medical examiners' re-use or re-disclosure of protected health information unless the coroner or medical examiner is also a covered entity. However, we consistently have supported comprehensive privacy legislation to regulate disclosure and use of individually identifiable health information by all entities that have access to it. Funeral Directors Comment: One commenter recommended modifying the proposed rule to allow disclosure without authorization to funeral directors. To accomplish this change, the commenter suggested either: (1) Adding another subsection to proposed Sec. 164.510 of the NPRM, to allow disclosure without authorization to funeral directors as needed to make arrangements for [[Page 82688]] funeral services and for disposition of a deceased person's remains; or (2) revising proposed Sec. 164.510(e) to allow disclosure of protected health information to both coroners and funeral directors. According to this commenter, funeral directors often need certain protected health information for the embalming process, because a person's medical condition may affect the way in which embalming is performed. For example, the commenter noted, funeral directors increasingly receive bodies after organ and tissue donation, which has implications for funeral home staff duties associated with embalming. Response: We agree with the commenter. In the final rule, we permit covered entities to disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to a decedent. When necessary for funeral directors to carry out their duties, covered entities may disclose protected health information prior to and in reasonable anticipation of the individual's death. Comment: One commenter recommended clarifying in the final rule that it does not restrict law enforcement agencies' release of medical information that many state records laws require to be reported, for example, as part of autopsy reports. The commenter recommended stating that law enforcement officials may independently gather medical information, that such information would not be covered by these rules, and that it would continue to be covered under applicable state and federal access laws. Response: HIPAA does not give HHS statutory authority to regulate law enforcement officials' use or disclosure of protected health information. As stated elsewhere, we continue to support enactment of comprehensive privacy legislation to cover disclosure and use of all individually identifiable health information. Comment: One commenter recommended prohibiting health plans and covered health care providers from disclosing psychotherapy notes to coroners or medical examiners. Response: We disagree with the commenter who asserted that psychotherapy notes should only be used by or disclosed to coroners and medical examiners with authorization. Psychotherapy notes are sometimes needed by coroners and medical examiners to determine cause of death, such as in cases where suicide is suspected as the cause of death. We understand that several states require the disclosure of protected health information, including psychotherapy notes, to medical examiners and coroners. However, in the absence of a state law requiring such disclosure, we do not intend to prohibit coroners or medical examiners from obtaining the protected health information necessary to determine an individual's cause of death. Section 164.512(h)--Uses and Disclosures for Organ Donation and Transplantation Purposes Comment: Commenters noted that under the organ donation system, information about a patient is disclosed before seeking consent for donation from families. These commenters offered suggestions for ensuring that the system could continue to operate without consent for information sharing with organ procurement organizations and tissue banks. Commenters suggested that organ and tissue procurement organizations should be ``covered entities'' or that the procurement of organs and tissues be included in the definition of health care operations or treatment, or in the definition of emergency circumstances. Response: We agree that organ and tissue donation is a special situation due to the need to protect potential donors' families from the stress of considering whether their loved one should be a donor before a determination has been made that donation would be medically suitable. Rather than list the entities that are ``covered entities'' or modify the definitions of health care operations and treatment or emergency circumstances to explicitly include organ procurement organizations and tissue banks, we have modified Sec. 164.512 to permit covered entities to use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissues. Comment: Commenters asked that the rule clarify that organ procurement organizations are health care providers but not business partners of the hospitals. Response: We agree that organ procurement organizations and tissue banks are generally not business associates of hospitals. Disclosures and Uses for Government Health Data Systems Comment: We received a number of comments supporting the exception for disclosure of protected health information to government health data systems. Some supporters stated a general belief that the uses of such information were important to improve and protect the health of the public. Commenters said that state agencies used the information from government health data systems to contribute to the improvement of the health care system by helping prevent fraud and abuse and helping improve health care quality, efficiency, and cost-effectiveness. Commenters asserted that state agencies take action to ensure that data they release based on these data systems do not identify individuals We also received a large volume of comments opposed to the exception for use and disclosure of protected health information for government health data systems. Many commenters expressed general concern that the provision threatened their privacy, and many believed that their health information would be subject to abuse by government employees. Commenters expressed concern that the provision would facilitate collection of protected health information in one large, centralized government health database that could threaten privacy. Others argued that the proposed rule would facilitate law enforcement access to protected health information and could, in fact, become a database for law enforcement use. Many commenters asserted that this provision would make individuals concerned about confiding in their health care providers. Some commenters argued that the government should not be allowed to collect individually identifiable health information without patient consent, and that the government could use de-identified data to perform the public policy analyses. Many individual commenters said that HHS lacked statutory and Constitutional authority to give the government access and control of their medical records without consent. Many commenters believed that the NPRM language on government health data systems was too broad and would allow virtually any government collection of data to be covered. They argued that the government health data system exception was unnecessary because there were other provisions in the proposed rules providing sufficient authority for government agencies to obtain the information they need. Some commenters were concerned that the NPRM's government health data system provisions would allow disclosure of protected health information for purposes unrelated to health care. These commenters recommended narrowing the provision to allow disclosure of protected health [[Page 82689]] information without consent to government health data systems in support of health care-related policy, planning, regulatory, or management functions. Others recommended narrowing the exception to allow use and disclosure of protected health information for government health databases only when a specific statute or regulation has authorized collection of protected health information for a specific purpose. Response: We agree with the commenters who suggested that the proposed provision that would have permitted disclosures to government health data bases was overly broad, and we remove it from the final rule. We reviewed the important purposes identified in the comments for government access to protected health information, and believe that the disclosures of protected health information that should appropriately be made without individuals' authorization can be achieved through the other disclosures provided for in the final rule, including provisions permitting covered entities to disclose information (subject to certain limitations) to government agencies for public health, research, health oversight, law enforcement, and otherwise as required by law. For example, the final rule continues to allow a covered entity to disclose protected health information without authorization to a public health authority to monitor trends in the spread of infectious disease, morbidity, and mortality. Under the rule's health oversight provision, covered entities can continue to disclose protected health information to public agencies for purposes such as analyzing the cost and quality of services provided by covered entities; evaluating the effectiveness of federal, state, and local public programs; examining trends in health insurance coverage of the population; and analyzing variations in access to health coverage among various segments of the population. We believe that it is better to remove the proposed provision for government health data systems generally and to rely on other, more narrowly tailored provisions in the rule to authorize appropriate disclosures to government agencies. Comment: Some provider groups, private companies, and industry organizations recommended expanding the exception for government health data systems to include data collected by private entities. These commenters said that such an expansion would be justified, because private entities often perform the same functions as public agencies collecting health data. Response: We eliminate the exception for government health data systems because it was over broad and the uses and disclosures we were trying to permit are permitted by other provisions. We note that private organizations may use or disclose protected health information pursuant to multiple provisions of the rule. Comment: One commenter recommended clarifying in the final rule that the government health data system provisions apply to: (1) Manufacturers providing data to HCFA and its contractors to help the agency make reimbursement and related decisions; and to (2) third-party payors that must provide data collected by device manufacturers to HCFA to help the agency make reimbursement and related decisions. Response: The decision to eliminate the general provision permitting disclosures to government health data systems makes this issue moot with respect to such disclosures. We note that the information used by manufacturers to support coverage determinations often is gathered pursuant to patient authorization (as part of informed consent for research) or as an approved research project. There also are many cases in which information can be de-identified before it is disclosed. Where HCFA hires a contractor to collect such protected health information, the contractor may do so under HCFA's authority, subject to the business associate provisions of this rule. Comment: One commenter recommended stating in the final rule that de-identified information from government health data systems can be disclosed to other entities. Response: HHS does not have the authority to regulate re-use or re- disclosure of information by agencies or institutions that are not covered entities under the rule. However, we support the policies and procedures that public agencies already have implemented to de-identify any information that they redisclose, and we encourage the continuation of these activities. Disclosures for Payment Processes Proposed Sec. 164.510(j) of the NPRM would have allowed disclosure of protected health information without authorization for banking and payment processes. In the final rule, we eliminate this provision. Disclosures that would have been allowed under it, as well as comments received on proposed Sec. 164.510(j), are addressed under Sec. 164.501 of the final rule, under the definition of ``payment.'' Section 164.512(i)--Uses and Disclosures for Research Purposes Documentation Requirements of IRB or Privacy Board Approval of Waiver Comment: A number of commenters argued that the proposed research requirements of Sec. 164.510(j) exceeded the Secretary's authority under section 246(c) of HIPAA. In particular, several commenters argued that the Department was proposing to extend the Common Rule and the use of the IRB or privacy boards beyond federally-funded research projects, without the necessary authority under HIPAA to do so. One commenter stated that, ``Section 246(c) of HIPAA requires the Secretary to issue a regulation setting privacy standards for individually identifiable health information transmitted in connection with the transactions described in section 1173(a),'' and thus concluded that the disclosure of health information to researchers is not covered. Some of these commenters also argued that the documentation requirements of proposed Sec. 164.510(j), did not shield the NPRM from having the effect of regulating research by placing the onus on covered health care providers to seek documentation that certain standards had been satisfied before providing protected health information to researchers. These commenters argued that the proposed rule had the clear and intended effect of directly regulating researchers who wish to obtain protected health information from a covered entity. Response: As discussed above, we do not agree with commenters that the Secretary's authority is limited to individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of HIPAA. We also disagree that the proposed research documentation requirements would have constituted the unauthorized regulation of researchers. The proposed requirements established conditions for the use of protected health information by covered entities for research and the disclosure of protected health information by covered entities to researchers. HIPAA authorizes the Secretary to regulate such uses and disclosures, and the final rule retains documentation requirements similar to those proposed. Comment: Several commenters believed that the NPRM was proposing either directly or indirectly to modify the Common Rule and, therefore, stated that such modification was beyond the Secretary's authority under HIPAA. Many of these commenters arrived at this conclusion because the waiver of [[Page 82690]] authorization criteria proposed in Sec. 164.510(j) differed from the Common Rule's criteria for the waiver of informed consent (Common Rule, Sec. __ .116(d)). Response: We do not agree that the proposed provision relating to research would have modified the Common Rule. The provisions that we proposed and provisions that we include in the final rule place conditions that must be met before a covered entity may use or disclose protected health information. Those conditions are in addition to any conditions required of research entities under the Common Rule. Covered entities will certainly be subject to laws and regulations in addition to the rule, but the rule does not require compliance with these other laws or regulations. For covered health care providers and health plans that are subject to both the final rule and the Common Rule, both sets of regulations will need to be followed. Comment: A few commenters suggested that the Common Rule should be extended to all research, regardless of funding source. Response: We generally agree with the commenters on the need to provide protections to all human subjects research, regardless of funding source. HIPAA, however, did not provide the Department with authority to extend the Common Rule beyond its current purview. For research that relies on the use or disclosure of protected health information by covered entities without authorization, the final rule applies the Common Rule's principles for protecting research subjects by, in most instances, requiring documentation of independent board review, and a finding that specified criteria designed to protect the privacy of prospective research subjects have been met. Comment: A large number of commenters agreed that the research use and disclosure of protected health information should not require authorization. Of these commenters, many supported the proposed rule's approach to research uses and disclosures without authorization, including many from health care provider organizations, the mental health community, and members of Congress. Others, while they agreed that the research use and disclosure should not require authorization disagreed with the NPRM's approach and proposed alternative models. The commenters who supported the NPRM's approach to permitting researchers access to protected health information without authorization argued that it was appropriate to apply ``Common Rule- like'' provisions to privately funded research. In addition, several commenters explicitly argued that the option to use a privacy board, in lieu of an IRB, must be maintained because requiring IRB review to include all aspects of patient privacy could diffuse focus and significantly compromise an IRB's ability to execute its primary patient protection role. Furthermore, several commenters believed that privacy board review should be permitted, but wanted equal oversight and accountability for privacy boards and IRBs. Many other commenters agreed that the research use and disclosure should not require authorization, but disagreed with the proposed rule's approach and proposed alternative models. Several of these commenters argued that the final rule should eliminate the option for privacy board review and that all research to be subject to IRB review. These commenters stated that having separate and unequal systems to approve research based on its funding source would complicate compliance and go against the spirit of the regulations. Several of these commenters, many from patient and provider organizations, opposed the permitted use of privacy boards to review research studies and instead argued that IRB review should be required for all studies involving the use or disclosure of protected health information. These commenters argued that although privacy board requirements would be similar, they are not equitable; for example, only three of the Common Rule's six requirements for the membership of IRBs were proposed to be required for the membership on privacy boards, and there was no proposed requirement for annual review of ongoing research studies that used protected health information. Several commenters were concerned that the proposed option to obtain documentation of privacy board review, in lieu of IRB review, would perpetuate the divide in the oversight of federally-funded versus publically-funded research, rather than eliminate the differential oversight of publically-and privately- funded research, with the former still being held to a stricter standard. Some of these commenters argued that these unequal protections would be especially apparent for the disclosure of research with authorization, since under the Common Rule, IRB review of human subjects studies is required, regardless of the subject's consent, before the study may be conducted. Response: Although we share the concern raised by commenters that the option for the documentation of privacy board approval for an alteration or waiver of authorization may perpetuate the unequal mechanisms of protecting the privacy of human research subjects for federally-funded versus publically-funded research, the final rule is limited by HIPAA to addressing only the use and disclosure of protected health information by covered entities, not the protection of human research subjects more generally. Therefore, the rule cannot standardize human subjects protections throughout the country. Given the limited scope of the final rule with regard to research, the Department believes that the option to obtain documentation of privacy board approval for an alteration or waiver of authorization in lieu of IRB approval provides covered entities with needed flexibility. Therefore, in the final rule we have retained the option for covered entities to rely on documentation of privacy board approval that specified criteria have been met. We disagree with the rationale suggested by commenters who argued that the option for privacy board review must be maintained because requiring IRB review to include all aspects of patient privacy could diffuse focus and significantly compromise an IRB's ability to execute its primary patient protection role. For research that involves the use of individually identifiable health information, assessing the risk to the privacy of research subjects is currently one of the key risks that must be assessed and addressed by IRBs. In fact, we expect that it will be appropriate for many research organizations that have existing IRBs to rely on these IRBs to meet the documentation requirements of Sec. 164.512(i). Comment: One health care provider organization recommended that the IRB or privacy board mechanism of review should be applied to non- research uses and disclosures. Response: We disagree. Imposing documentation of privacy board approval for other public policy uses and disclosures permitted by Sec. 164.512 would result in undue delays in the use or disclosure of protected health information that could harm individuals and the public. For example, requiring that covered health care providers obtain third-party review before permitting them to alert a public health authority that an individual was infected with a serious communicable disease could cause delay appropriate intervention by a public health authority and could present a serious threat to the health of many individuals. Comment: A number of commenters, including several members of Congress, [[Page 82691]] argued that since the research provisions in proposed Sec. 164.510(j) were modeled on the existing system of human subjects protections, they were inadequate and would shatter public trust if implemented. Similarly, some commenters, asserted that IRBs are not accustomed to reviewing and approving utilization reviews, outcomes research, or disease management programs and, therefore, IRB review may not be an effective tool for protecting patient privacy in connection with these activities. Some of these commenters noted that proposed Sec. 164.510(j) would exacerbate the problems inherent in the current federal human subjects protection system especially in light of the recent GAO reports that indicate the IRB system is already over- extended. Furthermore, a few commenters argued that the Common Rule's requirements may be suited for interventional research involving human subjects, but is ill suited to the archival and health services research typically performed using medical records without authorization. Therefore, these commenters concluded that extending ``Common Rule-like'' provisions to the private sector would be inadequate to protect human subjects and would result in significant and unnecessary cost increases. Response: While the vast majority of government-supported and regulated research adheres to strict protocols and the highest ethical standards, we agree that the federal system of human subjects protections can and must be strengthened. To work toward this goal, on May 23, the Secretary announced several additional initiatives to enhance the safety of subjects in clinical trials, strengthen government oversight of medical research, and reinforce clinical researchers' responsibility to follow federal guidelines. As part of this initiative, the National Institutes of Health have undertaken an aggressive effort to ensure IRB members and IRB staff receive appropriate training in bioethics and other issues related to research involving human subjects, including research that involves the use of individually identifiable health information. With these added improvements, we believe that the federal system of human subjects protections continues to be a good model to protect the privacy of individually identifiable health information that is used for research purposes. This model of privacy protection is also consistent with the recent recommendations of both the Institute of Medicine in their report entitled, ``Protecting Data Privacy in Health Services Research,'' and the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance in their report entitled, ``Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment.'' Both of these reports similarly concluded that health services research that involves the use of individually identifiable health information should undergo IRB review or review by another board with sufficient expertise in privacy and confidentiality protection. Furthermore, it is important to recognize that the Common Rule applies not only to interventional research, but also to research that uses individually identifiable health information, including archival research and health services research. The National Bioethics Advisory Commission (NBAC) is currently developing a report on the federal oversight of human subjects research, which is expected to address the unique issues raised by non-interventional human subjects research. The Department looks forward to receiving NBAC's report, and carefully considering the Commission's recommendations. This final rule is the first step in enhancing patients' privacy and we will propose modifications to the rule if changes are warranted by the Commission's findings and recommendations. Comment: Many commenters argued that the proposed research provision would have a chilling affect on the willingness of health plans and covered providers to participate in research because of the criminal and civil penalties that could be imposed for failing to meet the requirements that would have been required by proposed Sec. 164.510(j). Some of these commenters cautioned, that over time, research could be severely hindered if covered entities choose not to disclose protected health information to researchers. In addition, one commenter recommended that a more reasonable approach would be to require IRB or privacy board approval only if the results of the research were to be broadly published. Another commenter expressed concern that the privacy rule could influence IRBs or privacy boards to refuse to recognize the validity of decisions by other IRBs or privacy boards and specifically recommended that the privacy rule include a preamble statement that: (1) The ``risk'' balancing consider only the risk to the patient, not the risk to the institution, and (2) add a phrase that the decision by the initial IRB or privacy board to approve the research shall be given deference by other IRBs or privacy boards. This commenter also recommended that to determine whether IRBs or privacy boards were giving such deference to prior IRB or privacy board review, HHS should monitor the disapproval rate by IRB or privacy boards conducting secondary reviews. Response: As the largest federal sponsor of medical research, we understand the important role of research in improving our Nation's health. However, the benefits of research must be balanced against the risks, including the privacy risks, for those who participate in research. An individual's rights and welfare must never be sacrificed for scientific or medical progress. We believe that the requirements for the use and disclosure of protected health information for research without authorization provides an appropriate balance. We understand that some covered health care providers and health plans may conclude that the rule's documentation requirements for research uses and disclosures are too burdensome. We rejected the recommendation that documentation of IRB or privacy board approval of the waiver of authorization should only be required if the research were to be ``broadly published.'' Research findings that are published in de-identified form have little influence on the privacy interests of individuals. We believe that it is the use or disclosure of individually identifiable health information to a researcher that poses the greater risk to individuals' privacy, not publication of de-identified information. We agree with the commenters that IRB or privacy board review should address the privacy interests of individuals and not institutions. This provision is intended to protect individuals from unnecessary uses and disclosures of their health information and does not address institutional privacy. We disagree with the comment that documentation of IRB or privacy board approval of the waiver of authorization should be given deference by other IRBs or privacy boards conducting secondary reviews. We do not believe that it is appropriate to restrict the deliberations or judgments of privacy boards, nor do we have the authority under this rule to instruct IRBs on this issue. Instead, we reiterate that all disclosures for research purposes under Sec. 164.512(i) are voluntary, and that institutions may choose to impose more stringent requirements for any use and disclosure permitted under Sec. 164.512. [[Page 82692]] Comment: Some commenters were concerned about the implications of proposed Sec. 164.510(j) on multi-center research. These commenters argued that for multi-center research, researchers may require protected health information from multiple covered entities, each of whom may have different requirements for the documentation of IRB or privacy board review. Therefore, there was concern that documentation that may suffice for one covered entity, may not for another, thereby hindering multi-center research. Response: Since Sec. 164.512(i) establishes minimum documentation standards for covered health care providers and health plans using or disclosing protected health information for research purposes, we understand that some covered providers and health plans may choose to require additional documentation requirements for researchers. We note, however, that nothing in the final rule would preclude a covered health care provider or health plan from developing the consistent documentation requirements provided they meet the requirements of Sec. 164.512(i). Comment: One commenter who was also concerned that the minimum necessary requirements of proposed Sec. 164.506(b) would negatively affect multi-center research because covered entities participating in multi-site research studies would no longer be permitted to rely upon the consent form approved by a central IRB, and nor would participating entities be permitted to report data to the researcher using the case report form approved by the central IRB to guide what data points to include. This commenter noted that the requirement that each site would need to undertake a separate minimum necessary review for each disclosure would erect significant barriers to the conduct of research and may compromise the integrity and validity of data combined from multiple sites. This commenter recommended that the Secretary absolve a covered entity of the responsibility to make its own individual minimum necessary determinations if the entity is disclosing information pursuant to an IRB or privacy board-approved protocol. Response: The minimum necessary requirements in the final rule have been revised to permit covered entities to rely on the documentation of IRB or privacy board approval as meeting the minimum necessary requirements of Sec. 164.514. However, we anticipate that much multi- site research, such as multi-site clinical trials, will be conducted with patients' informed consent as required by the Common Rule and FDA's protection of human subjects regulations, and that patients' authorization will also be sought for the use or disclosure of protected health information for such studies. Therefore, it should be noted that the minimum necessary requirements do not apply for uses or disclosures made with an authorization. In addition, the final rule allows a covered health care provider or health plan to use or disclose protected health information pursuant to an authorization that was approved by a single IRB or privacy board, provided the authorization met the requirements of Sec. 164.508. The final rule does not, however, require IRB or privacy board review for the use or disclosure of protected health information for research conducted with individuals' authorization. Comment: Some commenters believed that proposed Sec. 164.510(j) would have required documentation of both IRB and privacy board review before a covered entity would be permitted to disclose protected health information for research purposes without an individual's authorization. Response: This is incorrect. Section 164.512(i)(1)(i) of the final rule requires documentation of alteration or waiver approval by either an IRB or a privacy board. Comment: Some commenters believed that the proposed rule would have required that patients be notified whenever protected health information about themselves was disclosed for research purposes. Response: This is incorrect. Covered entities are not required to inform individuals that protected health information about themselves has been disclosed for research purposes. However, as required in Sec. 164.520 of the final rule, the covered entity must include research disclosures in their notice of information practices. In addition, as required by Sec. 164.528 of the rule, covered health care providers and health plans must provide individuals, upon request, with an accounting of disclosures made of protected health information about the individual. Comment: One commenter recommended that IRB and privacy boards also be required to be accredited. Response: While we agree that the issue of accrediting IRBs and privacy boards deserves further consideration, we believe it is premature to require covered entities to ensure that the IRB or privacy board that approves an alteration or waiver of authorization is accredited. Currently, there are no accepted accreditation standards for IRBs or privacy boards, nor a designated accreditation body. Recognizing the need for and value of greater uniformity and public accountability in the review and approval process, HHS, with support from the Office of Human Research Protection, National Institutes of Health, Food and Drug Administration, Centers for Disease Control and Prevention, and Agency for Health Care Research and Quality, has engaged the Institute of Medicine to recommend uniform performance resource-based standards for private, voluntary accreditation of IRBs. This effort will draw upon work already undertaken by major national organizations to develop and test these standards by the spring of 2001, followed by initiation of a formal accreditation process before the end of next year. Once the Department has received the Institute of Medicine's recommended accreditation standards and process for IRBs, we plan to consider whether this accreditation model would also be applicable to privacy boards. Comment: A few commenters also noted that if both an IRB and a privacy board reviewed a research study and came to conflicting decisions, proposed Sec. 164.510(j) was unclear about which board's decision would prevail. Response: The final rule does not stipulate which board's decision would prevail if an IRB and a privacy board came to conflicting decisions. The final rule requires covered entities to obtain documentation that one IRB or privacy board has approved of the alteration or waiver of authorization. The covered entity, however, has discretion to request information about the findings of all IRBs and/or privacy boards that have reviewed a research proposal. We strongly encourage researchers to notify IRBs and privacy boards of any prior IRB or privacy board review of a research protocol. Comment: Many commenters noted that the NPRM included no guidance on how the privacy board should approve or deny researchers' requests. Some of these commenters recommended that the regulation stipulate that privacy boards be required to follow the same voting rules as required under the Common Rule. Response: We agree that the Common Rule (Sec. __.108(b)) provides a good model of voting procedures for privacy boards and incorporate such procedures to the extent they are relevant. In the final rule, we require that the documentation of alteration or waiver of authorization state that the alteration or waiver has been reviewed and approved by either (1) an IRB that has followed the voting requirements of the Common Rule (Sec. __.108(b)), or the expedited review [[Page 82693]] procedures of the Common Rule (Sec. __.110); or (2) unless an expedited review procedure is used, a privacy board that has reviewed the proposed research at a convened meeting at which a majority of the privacy board members are present, including at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any such entities, and the alteration or waiver of authorization is approved by the majority of privacy board members present at the meeting. Comment: A few commenters were concerned that the research provisions would be especially onerous for small non-governmental entities, furthering the federal monopoly on research. Response: We understand that the documentation requirements of Sec. 164.512(i), as well as other provisions in the final rule, may be more onerous for small entities than for larger entities. We believe, however, that when protected health information is to be used or disclosed for research without an individual's authorization, the additional privacy protections in Sec. 164.512(i) are essential to reduce the risk of harm to the individual. Comment: One commenter believed that it was paradoxical that, under the proposed rule, the disclosure of protected health information for research conducted with an authorization would have been more heavily burdened than research that was conducted without authorization, which they reasoned was far less likely to bring personal benefit to the research subjects. Response: It was not our intent to impose more requirements on covered entities using or disclosing protected health information for research conducted with authorization than for research conducted without authorization. In fact, the proposed rule would have required only authorization as stipulated in proposed Sec. 164.508 for research disclosures made with authorization, and would have been exempt from the documentation requirements in proposed Sec. 164.510(j). We retain this treatment in the final rule. We disagree with the commenter who asserted that the requirements for research conducted with authorization are more burdensome for covered health care providers and plans than the documentation provisions of this paragraph. Comment: A number of comments, mostly from the pharmaceutical industry, recommended that the final rule state that privacy boards be permitted to waive authorization only with respect to research uses of medical information collected in the course of treatment or health care operations, and not with respect to clinical research. Similarly, one commenter recommended that IRBs and privacy boards be authorized to review privacy issues only, not the entire research project. These commenters were concerned that by granting waiver authority to privacy boards and IRBs, and by incorporating the Common Rule waiver criteria into the waiver criteria included in the proposed rule, the Secretary has set the stage for privacy boards to review and approve waivers in circumstances that involve interventional research that is not subject to the Common Rule. Response: We agree with the commenters who recommended that the final rule clarify that the documentation of IRB or privacy board approval of the waiver of authorization would be based only on an assessment of the privacy risks associated with a research study, not an assessment of all relevant risks to participants. In the final rule, we have amended the language in the waiver criteria to make clear that these criteria relate only to the privacy interests of the individual. We anticipate, however, that the vast majority of uses and disclosures of protected health information for interventional research will be made with individuals' authorization. Therefore, we expect it will be rare that a researcher will seek IRB or privacy board approval for the alteration or waiver of authorization, but seek informed consent for participation for the interventional component of the research study. Furthermore, we believe that interventional research, such as most clinical trials, could not meet the waiver criteria in the final rule (Sec. 164.512(i)(2)(ii)(C)), which states ``the research could not practicably be conducted without the alteration or waiver.'' If a researcher is to have direct contact with research subjects, the researcher should in virtually all cases be able to seek and obtain patients' authorization for the use and disclosure of protected health information about themselves for the research study. Comment: A few commenters recommended that the rule explicitly state that covered entities would be permitted to rely upon an IRB or privacy boards' representation that the research proposal meets the requirements of proposed Sec. 164.510(j). Response: We agree with this comment. The final rule clarifies that covered health care providers and health plans are allowed to rely on an IRB's or privacy board's representation that the research proposal meets the requirements of Sec. 164.512(i). Comment: One commenter recommended that IRBs be required to maintain web sites with information on proposed and approved projects. Response: We agree that it could be useful for IRBs and privacy boards to maintain web sites with information on proposed and approved projects. However, requiring this of IRBs and privacy boards is beyond the scope of our authority under HIPAA. In addition, this recommendation raises concerns that would need to be addressed, including concerns about protecting the confidentiality of research participants and propriety information that may be contained in research proposals. For these reasons, we decided not to incorporate this requirement into the final rule. Comment: One commenter recommended that HHS collect data on research-related breaches of confidentiality and investigate existing anecdotal reports of such breaches. Response: This recommendation is beyond HHS' legal authority, since HIPAA did not give us the authority to regulate researchers. Therefore, this recommendation was not included in the final rule. Comment: A number of commenters were concerned that HIPAA did not give the Secretary the authority to protect information once it was disclosed to researchers who were not covered entities. Response: The Secretary shares these commenters' concerns about the Department's limited authority under HIPAA. We strongly support the enactment of additional federal legislation to fill these crucial gaps in the Secretary's authority. Comment: One commenter recommended that covered entities should be required to retain the IRB's or privacy board's documentation of approval of the waiver of individuals' authorization for at least six years from when the waiver was obtained. Response: We agree with this comment and have included such a requirement in the final rule. See Sec. 164.530(j). Comment: One commenter recommended that whenever health information is used for research or administrative purposes, a plan is in place to evaluate whether to and how to feed patient-specific information back into the health system to benefit an individual or group of patients from whom the health information was derived. Response: While we agree that this recommendation is consistent with the [[Page 82694]] responsible conduct of research, HIPAA did not give us the authority to regulate research. Therefore, this recommendation was not included in the final rule. Comment: A few commenters recommended that contracts between covered entities and researcher be pursued. Comments received in favor of requiring contractual agreements argued that such a contract would be enforceable under law, and should prohibit secondary disclosures by researchers. Some of these commenters recommended that contracts between covered entities and researchers should be the same as, or modeled on, the proposed requirements for business partners. In addition, some commenters argued that contracts between covered entities and researchers should be required as a means of placing equal responsibility on the researcher for protecting protected health information and for not improperly re-identifying information. Response: In the final rule, we have added an additional waiver criteria to require that there are adequate written assurances from the researcher that protected health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart. We believe that this additional waiver criteria provides additional assurance that protected health information will not be misused by researchers, while not imposing the additional burdens of a contractual requirement on covered health care providers and health plans. We were not persuaded by the comments received that contractual requirements would provide necessary additional protections, that would not also be provided by the less burdensome waiver criteria for adequate written assurance that the researcher will not re-use or disclose protected health information, with few exceptions. Our intent was to strengthen and extend existing privacy safeguards for protected health information that is used or disclosed for research, while not creating unnecessary disincentives to covered health care providers and health plans who choose to use or disclose protected health information for research purposes. Comment: Some commenters explicitly opposed requiring contracts between covered entities and researchers as a condition of permitting the use or disclosure of protected health information for research purposes. These commenters argued that such a contractual requirement would be too onerous for covered entities and researchers and would hinder or halt important research. Response: We agree with the arguments raised by these commenters, and thus, the final rule does not require contracts between covered entities and researchers as a condition of using or disclosing protected health information for research purposes without authorization. Comment: A large number of commenters strongly supported requiring patient consent before protected health information could be used or disclosed, including but not limited to use and disclosure for research purposes. These commenters argued that the unconsented-to use of their medical records abridged their autonomy right to decide whether or not to participate in research. A few referenced the Nuremberg Code in support of their view, noting that the Nuremberg Code required individual consent for participation in research. Response: We agree that it is of foremost importance that individuals' privacy rights and welfare be safeguarded when protected health information about themselves is used or disclosed for research studies. We also strongly believe that continued improvements in the nation's health requires that researchers be permitted access to protected health information without authorization in certain circumstances. Additional privacy protections are needed, however, and we have included several in the final rule. If covered entities plan to disclose protected health without individuals' authorization for research purposes, individuals must be informed of this through the covered entity's notice to patients of their information practices. In addition, before covered health care providers or health plans may use or disclose protected health information for research without authorization, they must obtain documentation that an IRB or privacy board has found that specified waiver criteria have been met, unless the research will include protected health information about deceased individuals only, or is solely for reviews that are preparatory to research. While it is true that the first provision of the Nuremberg Code states that ``the voluntary consent of the human subject is absolutely essential,'' it is important to understand the context of this important document in the history of protecting human subjects research from harm. The Nuremberg Code was developed for the Nuremberg Military Tribunal as standards by which to judge the human experimentation conducted by the Nazis, and was one of the first documents setting forth principles for the ethical conduct of human subjects research. The acts of atrocious cruelty that the Nuremberg Code was developed to address, focused on preventing the violations to human rights and dignity that occurred in the name of ``medical advancement.'' The Code, however, did not directly address the ethical conduct of non- interventional research, such as medical records research, where the risk of harm to participants can be unlike those associated with clinical research. We believe that the our proposed requirements for the use or disclosure of protected health information for research are consistent with the ethical principles of ``respect for persons,'' ``beneficence,'' and ``justice,'' which were established by the Belmont Report in 1978, and are now accepted as the quintessential requirements for the ethical conduct of research involving human subjects, including research using individually identifiable health information. These ethical principles formed the foundation for the requirements in the Common Rule, on which our proposed requirements for research uses and disclosures were modeled. Comment: Many commenters recommended that the privacy rule permit individuals to opt out of having their records used for the identified ``important'' public policy purposes in Sec. 164.510, including for research purposes. These commenters asserted that permitting the use and disclosure of their protected health information without their consent, or without an opportunity to ``opt out'' of having their information used or disclosed, abridged individuals' right to decide who should be permitted access to their medical records. In addition, one commenter argued that although the research community has been sharply critical of a Minnesota law that limits access to health records (Minnesota Statute Section 144.335 (1998)), researchers have cited a lack of response to mailed consent forms as the primary factor behind a decrease in the percentage of medical records available for research. This commenter argued that an opt-out provision would not be subject to this ``nonresponder'' problem. Response: We believe that a meaningful right to ``opt out'' of a research study requires that individuals be contacted and informed about the study for which protected health information about themselves is being requested by a researcher. We concluded, therefore, that an ``opt out'' provision of this nature may suffer from [[Page 82695]] the same decliner bias that has been experienced by researchers who are subject to laws that require patient consent for medical records research. Furthermore, evidence on the effect of a mandatory ``opt out'' provision for medical records research is only fragmentary at this time, but at least one study has preliminarily suggested that those who refuse to consent for research access to their medical records may differ in statistically significant ways from those who consent with respect to variables such as age and disease category (SJ Jacobsen et al. ``Potential Effect of Authorization Bias on Medical Records Research.'' Mayo Clin Proc 74: (1999) 330-338). For these reasons, we disagree with the commenters who recommended that an ``opt out'' provision be included in the final rule. In the final rule, we do require covered entities to include research disclosures in their notice of information practices. Therefore, individuals who do not wish for protected health information about themselves to be disclosed for research purposes without their authorization could select a health care provider or health plan on this basis. In addition, the final rule also permits covered health care providers or health plans to agree not to disclose protected health information for research purposes, even if research disclosures would otherwise be permitted under their notice of information practices. Such an agreement between a covered health care provider or health plan and an individual would not be enforceable under the final rule, but might be enforceable under applicable state law. Comment: Some commenters explicitly recommended that there should be no provision permitting individuals to opt out of having their information used for research purposes. Response: We agree with these commenters for the reasons discussed above. IRB and Privacy Board Review Comments: The NPRM imposed no requirements for the location or sponsorship of the IRB or privacy board. One commenter supported the proposed approach to permit covered entities to rely on documentation of a waiver by a IRB or privacy board that was convened by the covered entity, the researcher, or another entity. In contrast, a few commenters recommended that the NPRM require that the IRB or privacy board be outside of the entity conducting the research, although the rationale for these recommendations was not provided. Several industry and consumer groups alternatively recommended that the regulation require that privacy boards be based at the covered entity. These comments argued that ``if the privacy board is to be based at the entity receiving data, and that entity is not a covered entity, there will be little ability to enforce the regulation or study the effectiveness of the standards.'' Response: We agree with the comment supporting the proposed rule's provision to impose no requirements for the location or sponsorship of the IRB or privacy board that was convened to review a research proposal for the alteration or waiver of authorization criteria. In the absence of a rationale, we were not persuaded by the comments asserting that the IRB or privacy board should be convened outside of the covered entity. In addition, while we agree with the comments that asserted HHS would have a greater ability to enforce the rule if a privacy board was established at the covered entity rather than an uncovered entity, we concluded that the additional burden that such a requirement would place on covered entities was unwarranted. Furthermore, under the Common Rule and FDA's protection of human subjects regulations, IRB review often occurs at the site of the recipient researchers' institution, and it was not our intent to change this practice. Therefore, in the final rule, we continue to impose no requirements for the location or sponsorship of the IRB or privacy board. Privacy Board Membership Comment: Some commenters were concerned that the proposed composition of the privacy board did not adequately address potential conflicts of interest of the board members, particularly since the proposed rule would have permitted the board's ``unaffiliated'' member to be affiliated with the entity disclosing the protected health information for research purposes. To address this concern, some commenters recommended that the required composition of privacy boards be modified to require ``* * * at least one member who is not affiliated with the entity receiving or disclosing protected health information.'' These commenters believed that this addition would be more sound and more consistent with the Common Rule's requirements for the composition of IRBs. Furthermore, it was argued that this requirement would prohibit covered entities from creating a privacy board comprised entirely of its own employees. Response: We agree with these comments. In the final rule we have revised the proposed membership for privacy board to reduce potential conflict of interest among board members. The final rule requires that documentation of alteration or waiver from a privacy board, is only valid under Sec. 164.512(i) if the privacy board includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to a person who is affiliated with such entities. Comment: One commenter recommended that privacy boards be required to include more than one unaffiliated member to address concerns about conflict of interest among members. Response: We disagree that privacy boards should be required to include more than one unaffiliated member. We believe that the revised membership criterion for the unaffiliated member of the privacy board, and the criterion that requires that the board have no member participating in a review of any project in which the member has a conflict of interest, are sufficient to ensure that no member of the board has a conflict of interest in a research proposal under their review. Comment: Many commenters also recommended that the membership of privacy boards be required to be more similar to that of IRBs. These commenters were concerned that privacy boards, as described in the proposed rule, would not have the needed expertise to adequately review and oversee research involving the use of protected health information. A few of these commenters also recommended that IRBs be required to have at least one member trained in privacy or security matters. Response: We disagree with the comments asserting that the membership of privacy boards should be required be more similar to IRBs. Unlike IRBs, privacy boards only have responsibility for reviewing research proposals that involve the use or disclosure of protected health information without authorization. We agree, however, that the proposed rule may not have ensured that the privacy board had the necessary expertise to protect adequately individuals' privacy rights and interests. Therefore, in the final rule, we have modified one of the membership criteria for privacy board to require that the board has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests. Comment: Two commenters recommended that IRBs and privacy [[Page 82696]] boards be required to include patient advocates. Response: The Secretary's legal authority under HIPAA does not permit HHS to modify the membership of IRBs. Moreover, we disagree with the comments recommending that IRBs and privacy board should be required to include patient advocates. We were not persuaded that patient advocates are the only persons with the needed expertise to protect patients' privacy rights and interests. Therefore, in the final rule, we do not require that patient advocates be included as members of a privacy board. However, under the final rule, IRBs and privacy board members could include patient advocates provided they met the required membership criteria in Sec. 164.512(i). Comment: A few commenters requested clarification of the term ``conflict of interest'' as it pertained to the proposed rule's criteria for IRB and privacy board membership. In particular, some commenters recommended that the final rule clarify what degree of involvement in a research project by a privacy board member would constitute a conflict, thereby precluding that individual's participation in a review. One commenter specifically requested clarification about whether employment by the covered entity constituted a conflict of interest, particularly if the covered entity is receiving a financial gain from the conduct of the research. Response: We understand that determining what constitutes conflict of interest can be complex. We do not believe that employees of covered entities or employees of the research institution requesting protected health information for research purposes are necessarily conflicted, even if those employees may benefit financially from the research. However, there are many factors that should be considered in assessing whether a member of an IRB has a conflict of interest, including financial and intellectual conflicts. As part of a separate, but related effort to the final rule, during the summer of 2000, HHS held a conference on human subject protection and financial conflicts of interest. In addition, HHS solicited comments from the public about financial conflicts of interest associated with human subjects research for researchers, IRB members and staff, and research sponsors. The findings from the conference and the public comments received are forming the basis for guidance that HHS is now developing on financial conflicts of interest. Privacy Training for IRB and Privacy Boards Comment: A few commenters expressed support for training IRB members and chairs about privacy issues, recommending that such training either be required or that it be encouraged in the final rule. Response: We agree with these comments and thus encourage institutions that administer IRBs and privacy boards to ensure that the members of these boards are adequately trained to protect the privacy rights and welfare of individuals about whom protected health information is used for research purposes. In the final rule, we require that privacy board members have varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests. We believe that this criterion for privacy board membership requires that members already have the necessary knowledge or that they be trained to address privacy issues that arise in the conduct of research that involves the use of protected health information. In addition, we note that the Common Rule (Sec. ____.107(a)) already imposes a general requirement that IRB members posses adequate training and experience to adequately evaluate the research which it reviews. IRBs are also authorized to obtain the services of consultants (Sec. ____.107(f)) to provide expertise not available on the IRB. We believe that these existing requirements in the Common Rule already require that an IRB have the necessary privacy expertise. Waiver Criteria Comment: A large number of comments supported the proposed rule's criteria for the waiver of authorization by an IRB or privacy board. Response: While we agree that several of the waiver criteria should be retained in the final rule, we have made changes to the waiver criteria to address some of the comments we received on specific criteria. These reason for these changes are discussed in the response to comments below. Comment: In addition to the proposed waiver criteria, several commenters recommended that the final rule also instruct IRBs and privacy boards to consider the type of protected health information and the sensitivity of the information to be disclosed in determining whether to grant a waiver, in whole or in part, of the authorization requirements. Response: We agree with these comments, but believe that the requirement to consider the type and sensitivity of protected health information was already encompassed by the proposed waiver criteria. We encourage and expect that IRBs and privacy boards will take into consideration the type and sensitivity of protected health information, as appropriate, in considering the waiver criteria included in the final rule. Comment: Many commenters were concerned that the criteria were not appropriate in the context of privacy risks and recommended that the waiver criteria be rewritten to more precisely focus on the protection of patient privacy. In addition, some commenters argued that the proposed waiver criteria were redundant with the Common Rule and were confusing because they mix elements of the Common Rule's waiver criteria--some of which they argued were relevant only to interventional research. In particular, a number of commenters raised these concerns about proposed criterion (ii). Some of these commenters suggested that the word ``privacy'' be inserted before ``rights.'' Response: We agree with these comments. To focus all of the criterion on individuals' privacy interests, in the final rule, we have modified one of the proposed waiver criteria, eliminated one proposed criterion, and added an additional criterion : (1) the proposed criterion which stated, ``the waiver will not adversely affect the rights and welfare of the subjects,'' has been revised in the final rule as follows: ``the alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;'' (2) the proposed criterion which stated, ``whenever appropriate, the subjects will be provided with additional pertinent information after participation,'' has been eliminated; and (3) a criterion has been added in the final rule which states, ``there are adequate written assurances that the protected health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.'' In addressing these criteria, we expect that IRBs and privacy boards will not only consider the immediate privacy interests of the individual that would arise from the proposed research study, but also the possible implications from a loss of privacy, such as the loss of employment, loss or change in cost of health insurance, and social stigma. [[Page 82697]] Comment: A number of commenters were concerned about the interaction between the proposed rule and the Common Rule. One commenter opposed the four proposed waiver criteria which differed from the Common Rule's criteria for the waiver of informed consent (Sec. ____.116(d)) on the grounds that the four criteria proposed in addition to the Common Rule's waiver criteria would apply only to the research use and disclosure of protected health information by covered entities. This commenter argued that this would lead to different standards for the protection of other kinds of individually identifiable health information used in research that will fall outside of the scope of the final rule. This commenter concluded that this inconsistency would be difficult for IRBs to administer, difficult for IRB members to distinguish, and would be ethically questionable. For these reasons, many commenters recommended that the final rule should permit the waiver criteria of the Common Rule, to be used in lieu of the waiver criteria identified in the proposed rule. Response: We disagree with the comments recommending that the waiver criteria of the Common Rule should be permitted to be used in lieu of the waiver criteria identified in the proposed rule. The Common Rule's waiver criteria were designed to protect research subjects from all harms associated with research, not specifically to protect individuals' privacy interests. We understand that the waiver criteria in the final rule may initially cause confusion for IRBs and researchers that must attend to both the final rule and the Common Rule, but we believe that the additional waiver criteria adopted in the final rule are essential to ensure that individuals' privacy rights and welfare are adequately safeguarded when protected health information about themselves is used for research without their authorization. We agree that ensuring that the privacy rights and welfare of all human subjects--involved in all forms of research--is ethically required, and the new Office of Human Research Protection will immediately initiate plans to review the confidentiality provisions of the Common Rule. In addition, at the request of the President, the National Bioethics Advisory Commission has begun an examination of the current federal human system for the protection of human subjects in research. The current scope of the federal regulatory protections for protecting human subjects in research is just one of the issues that will be addressed in the by the Commission's report, and the Department looks forward to receiving the Commission's recommendations. Concerns About Specific Waiver Criteria Comment: One commenter argued that the term ``welfare'' was vague and recommended that it be deleted from the proposed waiver of authorization criterion which stated, ``the waiver will not adversely affect the rights and welfare of the subjects.'' Response: We disagree with the comment recommending that the final rule eliminate the term ``welfare'' from this waiver criterion. As discussed in the National Bioethics Advisory Commission's 1999 report entitled, ``Research Involving Human Biological Materials: Ethical Issues and Policy Guidance,'' ``Failure to obtain consent may adversely affect the rights and welfare of subjects in two basic ways. First, the subject may be improperly denied the opportunity to choose whether to assume the risks that the research presents, and second, the subject may be harmed or wronged as a result of his or her involvement in research to which he or she has not consented * * *. Subjects' interest in controlling information about themselves is tied to their interest in, for example, not being stigmatized and not being discriminated against in employment and insurance.'' Although this statement by the Commission was made in the context of research involving human biological materials, we believe research that involves the use of protected health information similarly requires that social and psychological harms be considered when assessing whether an alteration or waiver will adversely affect the privacy rights and welfare of individuals. We believe it would be insufficient to attend only to individuals' privacy ``rights'' since some of the harms that could result from a breach of privacy, such as stigmatization, and discrimination in employment or insurance, may not be tied directly to an individuals' ``rights,'' but would have a significant impact on their welfare. Therefore, in the final rule, we have retained the term ``welfare'' in this criterion for the alteration or waiver of authorization but modified the criterion as follows to focus more specifically on privacy concerns and to clarify that it pertains to alterations of authorization: ``the alteration or waiver will not adversely affect the privacy rights and the welfare of the individual.'' Comment: A few commenters recommended that the proposed waiver criteria that stated, ``the research could not practicably be conducted without the waiver,'' be modified to eliminate the term ``practicably.'' These commenters believed that determining ``practicably'' was subjective and that its elimination would facilitate IRBs' and privacy boards' implementation of this criterion. In addition, one commenter was concerned that this term could be construed to require authorization if enough weight is given to a privacy interest, and little weight is given to cost or administrative burden. This commenter recommended that the criterion be changed to allow a waiver if the ``disclosure is necessary to accomplish the research or statistical purpose for which the disclosure is to be made.'' Response: We disagree with the comments recommending that the term ``practicability'' be deleted from this waiver criterion. We believe that an assessment of practicability is necessary to account for research that may be possible to conduct with authorization but that would be impracticable if authorization were required. For example, in research study that involves thousands of records, it may be possible to track down all potential subjects, but doing so may entail costs that would make the research impracticable. In addition, IRBs have experience implementing this criterion since it is nearly identical to a waiver criterion in the Common Rule (Sec. __.116(d)(3)). We also disagree with the recommendation to change the criterion to state, ``disclosure is necessary to accomplish the research or statistical purpose for which the disclosure is to be made.'' We believe it is essential that consideration be given as to whether it would be practicable for research to be conducted with authorization in determining whether a waiver of authorization is justified. If the research could practicably be conducted with authorization, then authorization must be sought. Authorization must not be waived simply for convenience. Therefore, in the final rule, we have retained this criterion and clarified that it also applies to alterations of authorization. This waiver criterion in the final rule states, ``the research could not practicably be conducted without the alteration or waiver.'' Comment: Some commenters argued that the criterion which stated, ``whenever appropriate, the subjects will be provided with additional pertinent information after participation,'' should be deleted. Some comments recommended that the criterion should be deleted for privacy reasons, arguing that it would be inappropriate to create a reason for the researcher to contact the individual [[Page 82698]] whose data were analyzed, without IRB review of the proposed contact as a patient intervention. Other commenters argued for the deletion of the criterion on grounds that requiring researchers to contact patients whose records were used for archival research would be unduly burdensome, while adding little to the patient's base of information. Several commenters also argued that the criterion was not pertinent to non-interventional retrospective research requiring access to archived protected health information. In addition, one commenter asserted that this criterion was inconsistent with the Secretary's rationale for prohibiting disclosures of ``research information unrelated to treatment'' for purposes other than research. This commenter argued that the privacy regulations should not mandate that a covered entity provide information with unknown validity or utility directly to patients. This commenter recommended that a patient's physician, not the researcher, should be the one to contact a patient to discuss the significance of new research findings for that individual patient's care. Response: Although we disagree with the arguments made by commenters recommending that this criterion be eliminated in the final rule, we concluded that the criterion was not directly related to ensuring the privacy rights and welfare of individuals. Therefore, we eliminated this criterion in the final rule. Comment: A few commenters recommended that the criterion, which required that ``the research would be impracticable to conduct without access to and use of the protected health information,'' be deleted because it would be too subjective to be meaningful. Response: We disagree with comments asserting that this proposed criterion would be too subjective. We believe that researchers should be required to demonstrate to an IRB or privacy board why protected health information is necessary for their research proposal. If a researcher could practicably use de-identified health information for a research study, protected health information should not be used or disclosed for the study without individuals' authorization. Therefore, we retain this criterion in the final rule. In considering this criterion, we expect IRBs and privacy boards to consider the amount of information that is needed for the study. To ensure the covered health care provider or health plan is informed of what information the IRB or privacy board has determined may be used or disclosed without authorization, the final rule also requires that the documentation of IRB or privacy board approval of the alteration or waiver describe the protected health information for which use or access has been determined to be necessary. Comment: A large number of comments objected to the proposed waiver criterion, which stated that, ``the research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure.'' The majority of these commenters argued that the criterion was overly subjective, and that due to its subjectivity, IRBs and privacy boards would inevitably apply it inconsistently. Several commenters asserted that this criterion was unsound in that it would impose on reviewing bodies the explicit requirement to form and debate conflicting value judgments about the relative weights of the research proposal versus an individual's right to privacy. Furthermore these commenters argued that this criterion was also unnecessary because the Common Rule already has a requirement that deals with this issue more appropriately. In addition, one commenter argued that the rule eliminate this criterion because common purposes should not override individual rights in a democratic society. Based on these arguments, these commenters recommended that this criterion be deleted. Response: We disagree that it is inappropriate to ask IRBs and privacy boards to ensure that there is a just balance between the expected benefits and risks to individual participants from the research. As noted by several commenters, IRBs currently conduct such a balancing of risks and benefits because the Common Rule contains a similar criterion for the approval of human subjects research (Sec. __.111(a)(2)). However, we disagree with the comments asserting that the proposed criterion was unnecessary because the Common Rule already contains a similar criterion. The Common Rule does not explicitly address the privacy interests of research participants and does not apply to all research that involves the use or disclosure of protected health information. However, we agree that the relevant Common Rule criterion for the approval of human subjects research provides better guidance to IRBs and privacy boards for assessing the privacy risks and benefits of a research proposal. Therefore, in the final rule, we modeled the criterion on the relevant Common Rule requirement for the approval of human subjects research, and revised the proposed criterion to state: ``the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits if any to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research.'' Comment: One commenter asserted that as long as the research organization has adequate privacy protections in place to keep the information from being further disclosed, it is unnecessary for the IRB or privacy board to make a judgment on whether the value of the research outweighs the privacy intrusion. Response: The Department disagrees with the assertion that adequate safeguards of protected health information are sufficient to ensure that the privacy rights and welfare of individuals are adequately protected. We believe it is imperative that there be an assessment of the privacy risks and anticipated benefits of a research study that proposes to use protected health information without authorization. For example, if a research study was so scientifically flawed that it would provide no useful knowledge, any risk to patient privacy that might result from the use or disclosure of protected health information without individuals' authorization would be too great. Comment: A few commenters asserted that the proposed criterion requiring ``an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining identifiers,'' conflicted with the regulations of the FDA on clinical record keeping (21 CFR 812.140(d)) and the International Standard Organization on control of quality records (ISO 13483, 4.16), which require that relevant data be kept for the life of a device. In addition, one commenter asserted that this criterion could prevent follow up care. Similarly, other commenters argued that the new waiver criteria would be likely to confuse IRBs and may impair researchers' ability to go back to IRBs to request extensions of time for which samples or data can be stored if researchers are unable to anticipate future uses of the data. Response: We do not agree with the comment that there is a conflict between either the FDA or the ISO regulations and the proposed waiver criteria in the rule. We believe that compliance with such recordkeeping requirements would be ``consistent with the conduct of research'' which is subject to such requirements. Nonetheless, to avoid any confusion, in the final rule we have added the phrase ``or such retention is [[Page 82699]] otherwise required by law'' to this waiver criterion. We also disagree with the comments that this criterion would prevent follow up care to individuals or unduly impair researchers from retaining identifiers on data for future research. We believe that patient care would qualify as a ``health * * * justification for retaining identifiers.'' In addition, we understand that researchers may not always be able to anticipate that the protected health information they receive from a covered health care provider or health plan for one research project may be useful for the conduct of future research studies. However, we believe that the concomitant risk to patient privacy of permitting researchers to retain identifiers they obtained without authorization would undermine patient trust, unless researchers could identify a health or research justification for retaining the identifiers. In the final rule, an IRB or privacy board is not required to establish a time limit on a researcher's retention of identifiers. Additional Waiver Criteria Comment: A few comments recommended that there be a additional waiver criterion to safeguard or limit subsequent use or disclosure of protected health information by the researcher. Response: We agree with these comments. In the final rule, we include a waiver criterion requiring ``there are adequate written assurances that the protected health information will not be re-used or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart.'' Waiving Authorization, in Whole or in Part Comment: A few commenters requested that the final rule clarify what ``in whole or in part'' means if authorization is waived or altered. Response: In the proposed rule, it was HHS' intent to permit IRBs and privacy boards to either waive all of the elements for authorization, or alternatively, waive only some of the elements of authorization. Furthermore, we also intended to permit IRBs and privacy boards to alter the authorization requirements. Therefore, in the final rule, we clarify that the alteration to and waiver of authorization, in whole or in part, are permitted as stipulated in Sec. 164.512(i). Expedited Review Comment: One commenter asserted that the proposed rule would prohibit expedited review as permitted under the Common Rule. Many commenters supported the proposal in the rule to incorporate the Common Rule's provision for expedited review, and strongly recommended that this provision be retained in the final rule. Several of these commenters argued that the expedited review mechanism provides IRBs with the much-needed flexibility to focus volunteer-IRB members' limited resources. Response: We agree that expedited review should be available, and included a provision permitting expedited review under specified conditions. We understand that the National Bioethics Advisory Commission is currently developing a report on the federal oversight of human subjects research, which is expected to address the Common Rule's requirements for expedited review. HHS looks forward to receiving the National Bioethics Advisory Commission's report, and will modify the provisions for expedited review in the privacy rule if changes are warranted by the Commission's findings and recommendations. Required Signature Comment: A few commenters asserted that the proposed requirement that the written documentation of IRB or privacy board approval be signed by the chair of the IRB or the privacy board was too restrictive. Some commenters recommended that the final rule permit the documentation of IRB or privacy board approval to be signed by persons other than the IRB or privacy board chair, including: (1) Any person authorized to exercise executive authority under IRB's or privacy board's written procedures; (2) the IRB's or privacy board's acting chair or vice chair in the absence of the chair, if permitted by IRB procedures; and (3) the covered entity's privacy official. Response: We agree with the commenters who argued that the final rule should permit the documentation of IRB or privacy board approval to be signed by someone other than the chair of the board. In the final rule, we permit the documentation of alteration or waiver of authorization to be signed by the chair or other member, as designated by the chair of the IRB or privacy board, as applicable. Research Use and Disclosure With Authorization Comment: Some commenters, including several industry and consumer groups, argued that the proposed rule would establish a two-tiered system for public and private research. Privately funded research conducted with an authorization for the use or disclosure of protected health information would not require IRB or privacy board review, while publically funded research conducted with authorization would require IRB review as required by the Common Rule. Many of these commenters argued that authorization is insufficient to protect patients involved in research studies and recommended that IRB or privacy board review should be required for all research regardless of sponsor. These commenters asserted that it is not sufficient to obtain authorization, and that IRBs and privacy boards should review the authorization document, and assess the risks and benefits to individuals posed by the research. Response: For the reasons we rejected the recommendation that we eliminate the option for privacy board review and require IRB review for the waiver of authorization, we also decided against requiring documentation of IRB or privacy board approval for research conducted with authorization. HHS strongly agrees that IRB review is essential for the adequate protection of human subjects involved in research, regardless of whether informed consent and/or individuals' authorization is obtained. In fact, IRB review may be even more important for research conducted with subjects' informed consent and authorization since such research may present greater than minimal risk to participants. However, HHS' authority under HIPAA is limited to safeguarding the privacy of protected health information, and does not extend to protecting human subjects more broadly. Therefore, in the final rule we have not required documentation of IRB or privacy board review for the research use or disclosure of protected health information conducted with individuals' authorization. As mentioned above, HHS looks forward to receiving the recommendations of the National Bioethics Advisory Commission, which is currently examining the current scope of federal regulatory protections for protecting human subjects in research as part of its overarching report on the federal oversight of human subjects protections. Comment: Due to concern about several of the elements of authorization, many commenters recommended that the final rule stipulate that ``informed consent'' obtained pursuant to the Common Rule be deemed to meet the requirements for ``authorization.'' These commenters argued that the NPRM's [[Page 82700]] additional authorization requirements offered no additional protection to research participants but would be a substantive impediment to research. Response: We disagree with the comments asserting that the proposed requirements for authorization for the use or disclosure of protected health information would have offered research subjects no additional privacy protection. Because the purposes of authorization and informed consent differ, the proposed rule's requirements for authorization pursuant to a request from a researcher (Sec. 164.508) and the Common Rule's requirements for informed consent (Common Rule, Sec. __.116) contain important differences. For example, unlike the Common Rule, the proposed rule would have required that the authorization include a description of the information to be used or disclosed that identifies the information in a specific and meaningful way, an expiration date, and where, use of disclosure of the requested information will result in financial gain to the entity, a statement that such gain will result. We believe that the authorization requirements provide individuals with information necessary to determine whether to authorize a specific use or disclosure of protected health information about themselves, that are not required by the Common Rule. Therefore, in the final rule, we retain the requirement for authorization for all uses and disclosures of protected health information not otherwise permitted without authorization by the rule. Some of the proposed requirements for authorization were modified in the final rule as discussed in the preamble on Sec. 164.508. The comments received on specific proposed elements of authorization as they would have pertained to research are addressed below. Comment: A number of commenters, including several from industry and consumer groups, recommended that the final rule require patients' informed consent as stipulated in the Common Rule. These commenters asserted that the proposed authorization document was inadequate for research uses and disclosures of protected health information since it included fewer elements than required for informed consent under the Common Rule, including for example, the Common Rule's requirement that the informed consent document include: (1) A description of any reasonably foreseeable risks or discomforts to the subject; (2) a description of any benefits to the subject or to others which may reasonably be expected from the research (Common Rule, Sec. __.116(a)). Response: While we agree that the ethical conduct of research requires the voluntary informed consent of research subjects, as stipulated in the Common Rule, as we have stated elsewhere, the privacy rule is limited to protecting the confidentiality of individually identifiable health information, and not protecting human subjects more broadly. Therefore, we believe it would not be within the scope of the final rule to require informed consent as stipulated by the Common Rule for research uses and disclosures of protected health information. Comment: Several commenters specifically objected to the authorization requirement for a ``expiration date.'' To remedy this concern, many of these commenters proposed that the rule exempt research from the requirement for an expiration date if an IRB has reviewed and approved the research study. In particular, some commenters asserted that the requirement for an expiration date would be impracticable in the context of clinical trials, where the duration of the study depends on several different factors that cannot be predicted in advance. These commenters argued that determining an exact date would be impossible due to the legal requirements that manufactures and the Food and Drug Administration be able to retrospectively audit the source documents when patient data are used in clinical trials. In addition, some commenters asserted that a requirement for an expiration date would force researchers to designate specific expiration dates so far into the future as to render them meaningless. Response: We agree with commenters that an expiration date is not always possible or meaningful. In the final rule, we continue to require an identifiable expiration, but permit it to be a specific date or an event directly relevant to the individual or the purpose of the authorization (e.g., for the duration of a specific research study) in which the individual is a participant. Comment: A number of commenters, including those from the pharmaceutical industry, were concerned about the authorization requirement that gave patients the right to revoke consent for participation in clinical research. These commenters argued that such a right to revoke authorization for the use of their protected health information would require complete elimination of the information from the record. Some stated that in the conduct of clinical trials, the retrieval of individually identifiable health information that has already been blinded and anonymized, is not only burdensome, but should this become a widespread practice, would render the trial invalid. One commenter suggested that the Secretary modify the proposed regulation to allow IRBs or privacy boards to determine the duration of authorizations and the circumstances under which a research participant should be permitted to retroactively revoke his or her authorization to use data already collected by the researcher. Response: We agree with these concerns. In the final rule we have clarified that an individual cannot revoke an authorization to the extent that action has been taken in reliance on the authorization. Therefore, if a covered entity has already used or disclosed protected health information for a research study pursuant to an authorization obtained as required by Sec. 164.508, the covered entity is not required under the rule, unless it agreed otherwise, to destroy protected health information that was collected, nor retrieve protected health information that was disclosed under such an authorization. However, once an individual has revoked an authorization, no additional protected health information may be used or disclosed unless otherwise permitted by this rule. Comment: Some commenters were concerned that the authorization requirement to disclose ``financial gain'' would be problematic as it would pertain to research. These commenters asserted that this requirement could mislead patients and would make it more difficult to attract volunteers to participate in research. One commenter recommended that the statement be revised to state ``that the clinical investigator will be compensated for the value of his/her services in administrating this clinical trial.'' Another commenter recommended that the authorization requirement for disclosure of financial gain be defined in accordance with FDA's financial disclosure rules. Response: We strongly believe that a requirement for the disclosure of financial gain is imperative to ensure that individuals are informed about how and why protected health information about themselves will be used or disclosed. We agree, however, that the language of the proposed requirement could cause confusion, because most activities involve some type of financial gain. Therefore, in the final rule, we have modified the language to provide that when the covered entity initiates [[Page 82701]] the authorization and the covered entity will receive direct or indirect remuneration (rather than financial gain) from a third party in exchange for using or disclosing the health information, the authorization must include a statement that such remuneration will result. Comment: A few commenters asserted that the requirement to include a statement in which the patient acknowledged that information used or disclosed to any entity other than a health plan or health care provider may no longer be protected by federal privacy law would be inconsistent with existing protections implemented by IRBs under the Common Rule. In particular they stated that this inconsistency exists because IRBs are required to consider the protections in place to protect patients' confidential information and that IRBs are charged with ensuring that researchers comply with the confidentiality provisions of the informed consent document. Response: We disagree that this proposed requirement would pose a conflict with the Common Rule since the requirement was for a statement that the ``information may no longer be protected by the federal privacy law.'' This statement does not pertain to the protections provided under the Common Rule. In addition, while we anticipate that IRBs and privacy boards will most often waive all or none of the authorization requirements, we clarify an IRB or privacy board could alter this requirement, among others, if the documentation requirements of Sec. 164.512(i) have been met. Reviews Preparatory to Research Comment: Some industry groups expressed concern that the research provision would prohibit physicians from using patient information to recruit subjects into clinical trials. These commenters recommended that researchers continue to have access to hospitals' and clinics' patient information in order to recruit patients for studies. Response: Under the proposed rule, even if the researcher only viewed the medical record at the site of the covered entity and did not record the protected health information in a manner that patients could be identified, such an activity would have constituted a use or disclosure that would have been subject to proposed Sec. 164.508 or proposed Sec. 164.510. Based on the comments received and the fact finding we conducted with the research community, we concluded that documentation of IRB or privacy board approval could halt the development of research hypotheses that require access to protected health information before a formal protocol can be developed and brought to an IRB or privacy board for approval. To avoid this unintended result, the final rule permits covered health care providers and health plans to use or disclose protected health information for research if the covered entity obtains from the researcher representations that: (1) Use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research; (2) no protected health information is to be removed from the covered entity by the researcher in the course of the review; and (3) the protected health information for which use or access is sought is necessary for the research purposes. Comment: A few commenters asserted that the final rule should eliminate the possibility that research requiring access to protected health information could be determined to be ``exempt'' from IRB review, as provided by the Common Rule (Sec. __.101(b)(4)). Response: The rule did not propose nor intend to modify any aspect of the Common Rule, including the provision that exempts from coverage, ``research involving the collection or study of existing data, documents, records, pathological specimens, or diagnostic specimens, if these sources are publically available, or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or indirectly through identifiers linked to the subjects' (Sec. __.101(b)(4)). For the reasons discussed above, we have included a provision in the final rule for reviews preparatory to research that was modeled on this exemption to the Common Rule. Deceased Persons Exception for Research Comment: A few commenters expressed support for the proposal to allow use and disclosure of protected health information about decedents for research purposes without the protections afforded to the protected health information of living individuals. One commenter, for example, explained that it extensively uses such information in its research, and any restrictions were likely to impede its efforts. Alternately, a number of commenters provided arguments for eliminating the research exception for deceased persons. They commented that the same concerns regarding use and disclosure of genetic and hereditary information for other purposes apply in the research context. They believed that in many cases the risk of identification was greater in the research context because researchers may attempt to identify genetic and hereditary conditions of the deceased. Finally, they argued that while information of the deceased does not necessarily identify living relatives by name, living relatives could be identified and suffer the same harm as if their own medical records were used or disclosed for research purposes. Another commenter stated that the exception was unnecessary, and that existing research could and should proceed under the requirements in proposed Sec. 164.510 that dictated the IRB/privacy board approval process or be conducted using de- identified information. This commenter further stated that in this way, at least there would be some degree of assurance that all reasonable steps are taken to protect deceased persons' and their families' confidentiality. Response: Although we understand the concerns raised by commenters, we believe those concerns are outweighed by the need to keep the research-related policies in this rule as consistent as possible with standard research practice under the Common Rule, which does not consider deceased persons to be ``human subjects.'' Thus, we retain the exception in the final rule. With regard to the protected health information about a deceased individual, therefore, a covered entity is permitted to use or disclose such information for research purposes without obtaining authorization from a personal representative and absent approval by an IRB or privacy board as governed by Sec. 164.512(i). We note that the National Bioethics Advisory Committee (NBAC) is currently considering revising the Common Rule's definition of ``human subject'' with regard to coverage of the deceased. However, at this time, NBAC's deliberations on this issue are not yet completed and any reliance on such discussions would be premature. The final rule requires at Sec. 164.512(i)(1)(iii) that covered entities obtain from the researcher (1) representation that the use or disclosure is sought solely for research on the protected health information of decedents; (2) documentation, at the request of the covered entity, of the death of such individuals; and (3) representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. It is our intention with this change to reduce the burden and ambiguity on the part of the covered entity to determine whether or not the [[Page 82702]] request is for protected health information of a deceased individual. Comment: Some commenters, in their support of the research exception, requested that HHS clarify in the final rule that protected health information obtained during the donation process of eyes and eye tissue could continue to be used or disclosed to or by eye banks for research purposes without an authorization and without IRB approval. They expressed concern over the impediments to this type of research these approvals would impose, such as added administrative burden and vulnerabilities to the time sensitive nature of the process. Another commenter similarly expressed the position that, with regard to uses and disclosures of protected health information for tissue, fluid, or organ donation, the regulation should not present an obstacle to the transfer of donations unsuitable for transplant to the research community. However, they believed that consent can be obtained for such purposes since the donor or donor's family must generally consent to any transplant purposes, it would seem to be a minimal additional obligation to seek consent for research purposes at the same time, should the material be unsuitable for transplant. Response: Protected health information about a deceased individual, including information related to eyes and eye tissue, can be used or disclosed further for research purposes by a covered entity in accordance with Sec. 164.512(i)(1)(iii) without authorization or IRB or privacy board approval. This rule does not address whether organs unsuitable for transplant may be transferred to researchers with or without consent. Modification of the Common Rule Comment: We received a number of comments that interpreted the proposed rule as having unnecessarily and inappropriately amended the Common Rule. Assuming that the Common Rule was being modified, these comments argued that the rule was legally deficient under the Administrative Procedures Act, the Regulatory Flexibility Act, and other controlling Executive orders or laws. In addition, one research organization expressed concern that, by involving IRBs in the process of approving a waiver of authorization for disclosure purposes and establishing new criteria for such waiver approvals, the proposed rule would have subjected covered entities whose IRBs failed to comply with the requirements for reviewing and approving research to potential sanctions under HIPAA. The comment recommended that the rule be changed to eliminate such a punitive result. Specifically, the comment recommended that the existing Common Rule structure be preserved for IRB-approved research, and that the waiver of authorization criteria for privacy purposes be kept separate from the other functions of the IRB. Response: We disagree with the comments asserting the proposed rule attempted to change the Common Rule. It was not our intent to modify or amend the Common Rule or to regulate the activities of the IRBs with respect to the underlying research. We therefore reject the comments about legal deficiencies in the rule which are based on the mistaken perception that the Common Rule was being amended. The proposed rule established new requirements for covered entities before they could use or disclose protected health information for research without authorization. The proposed rule provided that one method by which a covered entity could obtain the necessary documentation was to receive it from an IRB. We did not mandate IRBs to perform such reviews, and we expressly provided for means other than through IRBs for covered entities to obtain the required documentation. In the final rule, we also have clarified our intent not to interfere with existing requirements for IRBs by amending the language in the waiver criteria to make clear that these criteria relate to the privacy interests of the individual and are separate from the criteria that would be applied by an IRB to any evaluation of the underlying research. Moreover, we have restructured the final rule to also make clear that we are regulating only the content and conditions of the documentation upon which a covered entity may rely in making a disclosure of protected health information for research purposes. We cannot and do not purport to regulate IRBs or modify the Common Rule through this regulation. We cannot under this rule penalize an IRB for failure to comply with the Common Rule, nor can we sanction an IRB based on the documentation requirements in the rule. Health plans and covered health care providers may rely on documentation from an IRB or privacy board concerning the alteration or waiver of authorization for the disclosure of protected health information for research purposes, provided the documentation, on its face, meets the requirements in the rule. Health plans and covered health care providers will not be penalized for relying on facially adequate documentation from an IRB. Health plans and covered health providers will only be penalized for their own errors or omissions in following the requirements of the rule, and not those of the IRB. Use Versus Disclosure Comment: Many of the comments supported the proposed rule's provision that would have imposed the same requirements for both research uses and research disclosures of protected health information. Response: We agree with these comments. In the final rule we retain identical use and disclosure requirements for research uses and disclosures of protected health information by covered entities. Comment: In contrast, a few commenters recommended that there be fewer requirements on covered entities for internal research uses of protected health information. Response: For the reasons discussed above in Sec. 164.501 on the definition of ``research,'' we disagree that an individual's privacy interest is of less concern when covered entities use protected health information for research purposes than when covered entities disclose protected health information for research purposes. Therefore, in the final rule, the research-related requirements of Sec. 164.512(i) apply to both uses and disclosures of protected health information for research purposes without authorization. Additional Resources for IRBs Comment: A few commenters recommended that HHS work to provide additional resources to IRBs to assist them in meeting their new responsibilities. Response: This recommendation is beyond our statutory authority under HIPAA, and therefore, cannot be addressed by the final rule. However, we fully agree that steps should be taken to moderate the workload of IRBs and to ensure adequate resources for their activities. Through the Office for Human Research Protections, the Department is committed to working with institutions and IRBs to identify efficient ways to optimize utilization of resources, and is committed to developing guidelines for appropriate staffing and workload levels for IRBs. Additional Suggested Requirements Comment: One commenter recommended that the documentation of IRB or privacy board approval also be required to state that, ``the health researcher has fully disclosed which of [[Page 82703]] the protected health information to be collected or created would be linked to other protected health information, and that appropriate safeguards be employed to protect information against re-identification or subsequent unauthorized linkages.'' Response: The proposed provision for the use or disclosure of protected health information for research purposes without authorization only pertained to individually identifiable health information. Therefore, since the information to be obtained would be individually identifiable, we concluded that it was illogical to require IRBs and privacy boards document that the researcher had ``fully disclosed that * * * appropriate safeguards be employed to protect information against re-identification or subsequent unauthorized linkages.'' Therefore, we did not incorporate this recommendation into the final rule. Section 164.512(j)--Uses and Disclosures To Avert a Serious Threat to Health or Safety Comment: Several commenters generally stated support for proposed Sec. 164.510(k), which was titled ``Uses and Disclosures in Emergency Circumstances.'' One commenter said that ``narrow exceptions to confidentiality should be permitted for emergency situations such as duty to warn, duty to protect, and urgent law enforcement needs.'' Another commented that the standard `` * * * based on a reasonable belief that the disclosures are necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual'' would apply in only narrow treatment circumstances. Some commenters suggested that the provision be further narrowed, for example, with language specifically identifying ``imminent threats'' and a ``chain- of-command clearance process,'' or by limiting permissible disclosures under this provision to ``public health emergencies,'' or ``national emergencies.'' Others proposed procedural requirements, such as specifying that such determinations may only be made by the patient's treating physician, a licensed mental health care professional, or as validated by three physicians. One commenter recommended stating that the rule is not intended to create a duty to warn or to disclose protected health information but rather permits such disclosure in emergency circumstances, consistent with other applicable legal or ethical standards. Response: We agree with the commenters who noted that the proposed provision would apply in rare circumstances. We clarify, however, that we did not intend for the proposed provision to apply to emergency treatment scenarios as discussed below. In the final rule, to avoid confusion over the circumstances in which we intend this section to apply, we retitle it ``Uses and Disclosures to Avert a Serious Threat to Health or Safety.'' We do not believe it would be appropriate to narrow further the scope of permissible disclosures under this section to respond to specifically identified ``imminent threats,'' a ``public health emergency,'' or a ``national emergency.'' We believe it would be impossible to enumerate all of the scenarios that may warrant disclosure of protected health information pursuant to this section. Such cases may involve a small number of people and may not necessarily involve a public health emergency or a national emergency. Furthermore, in response to comments arguing that the proposed provision was too broad, we note that under both the NPRM and the final rule, we allow but do not require disclosures in situations involving serious and imminent threats to health or safety. Health plans and covered health care providers may make the disclosures allowed under Sec. 164.512(j) consistent with applicable law and standards of ethical conduct. As indicated in the preamble to the NPRM, the proposed approach is consistent with statutory and case law addressing this issue. The most well-known case on the topic is Tarasoff v. Regents of the University of California, 17 Cal. 3d 425 (1976), which established a duty to warn those at risk of harm when a therapist's patient made credible threats against the physical safety of a specific person. The Supreme Court of California found that the therapist involved in the case had an obligation to use reasonable care to protect the intended victim of his patient against danger, including warning the victim of the peril. Many states have adopted, in statute or through case law, versions of the Tarasoff duty to warn or protect. Although Tarasoff involved a psychiatrist, this provision is not limited to disclosures by psychiatrists or other mental health professionals. As stated in the preamble of the NPRM, we clarify that Sec. 164.512(j) is not intended to create a duty to warn or disclose protected health information. Comment: Several comments addressed the portion of proposed Sec. 164.510(k) that would have provided a presumption of reasonable belief to covered entities that disclosed protected health information pursuant to this provision, when such disclosures were made in good faith, based on credible representation by a person with apparent knowledge or authority. Some commenters recommended that this standard be applied to all permissible disclosures without consent or to such disclosures to law enforcement officials. Alternatively, a group representing health care provider management firms believed that the proposed presumption of reasonable belief would not have provided covered entities with sufficient protection from liability exposure associated with improper uses or disclosures. This commenter recommended that a general good-faith standard apply to covered entities' decisions to disclose protected health information to law enforcement officials. A health plan said that HHS should consider applying the standard of reasonable belief to all uses and disclosures that would have been allowed under proposed Sec. 164.510. Another commenter questioned how the good-faith presumption would apply if the information came from a confidential informant or from a person rather than a doctor, law enforcement official, or government official. (The NPRM listed doctors, law enforcement officials, and other government officials as examples of persons who may make credible representations pursuant to this section.) Response: As discussed above, this provision is intended to apply in rare circumstances--circumstances that occur much less frequently than those described in other parts of the rule. Due to the importance of averting serious and imminent threats to health and safety, we believe it is appropriate to apply a presumption of good faith to covered entities disclosing protected health information under this section. We believe that the extremely time-sensitive and urgent conditions surrounding the need to avert a serious and imminent threat to the health or safety are fundamentally different from those involved in disclosures that may be made pursuant to other sections of the rule. Therefore, we do not believe it would be appropriate to apply to other sections of the rule the presumption of good faith that applies in Sec. 164.512(j). We clarify that we intend for the presumption of good faith to apply if the disclosure is made in good faith based upon a credible representation by any person with apparent knowledge or authority--not just by doctors, law enforcement or other government officials. Our listing of these persons in the NPRM was illustrative only, and it was not intended to limit the types of [[Page 82704]] persons who could make such a credible representation to a covered entity. Comment: One commenter questioned under what circumstances proposed Sec. 164.510(k) would apply instead of proposed Sec. 164.510(f)(5), ``Urgent Circumstances,'' which permitted covered entities to disclose protected health information to law enforcement officials about individuals who are or are suspected to be victims of a crime, abuse, or other harm, if the law enforcement official represents that the information is needed to determine whether a violation of law by a person other than the victim has occurred and immediate law enforcement activity that depends upon obtaining such information may be necessary. Response: First, we note that inclusion of this provision as Sec. 164.510(f)(5) was a drafting error which subsequently was clarified in technical corrections to the NPRM. In fact, proposed Sec. 164.510(f)(3) addressed the identical circumstances, which in this subsection were titled ``Information about a Victim of Crime or Abuse.'' The scenarios described under Sec. 164.510(f)(3) may or may not involve serious and imminent threats to health or safety. Second, as discussed in the main section of the preamble to Sec. 164.512(j), we recognize that in some situations, more than one section of this rule potentially could apply with respect to a covered entity's potential disclosure of protected health information. We clarify that if a situation fits one section of the rule (e.g., Sec. 164.512(j) on serious and imminent threats to health or safety), health plans and covered health care providers may disclose protected health information pursuant to that section, regardless of whether the disclosure also could be made pursuant to another section (e.g., Secs. 164.512(f)(2) or 164.512(f)(3), regarding disclosure of protected health information about suspects or victims to law enforcement officials), except as otherwise stated in the rule. Comment: A state health department indicated that the disclosures permitted under this section may be seen as conflicting with existing law in many states. Response: As indicated in the regulation text for Sec. 164.512(j), this section allows disclosure consistent with applicable law and standards of ethical conduct. We do not preempt any state law that would prohibit disclosure of protected health information in the circumstances to which this section applies. (See Part 160, Subpart B.) Comment: Many commenters stated that the rule should require that any disclosures should not modify ``duty to warn'' case law or statutes. Response: The rule does not affect case law or statutes regarding ``duty to warn.'' In Sec. 164.512(j), we specifically permit covered entities to disclose protected health information without authorization for the purpose of protecting individuals from imminent threats to health and safety, consistent with state laws and ethical obligations. Section 164.512(k)--Uses and Disclosures for Specialized Government Functions Military Purposes Armed Forces Personnel and Veterans Comment: A few comments opposed the proposed rule's provisions on the military, believing that they were too broad. Although acknowledging that the Armed Forces may have legitimate needs for access to protected health data, the commenters believed that the rule failed to provide adequate procedural protections to individuals. A few comments said that, except in limited circumstances or emergencies, covered entities should be required to obtain authorization before using or disclosing protected health information. A few comments also expressed concern over the proposed rule's lack of specific safeguards to protect the health information of victims of domestic violence and abuse. While the commenters said they understood why the military needed access to health information, they did not believe the rule would impede such access by providing safeguards for victims of domestic violence or abuse. Response: We note that the military comprises a unique society and that members of the Armed Forces do not have the same freedoms as do civilians. The Supreme Court held in Goldman v. Weinberger, 475 US 503 (1986), that the military must be able to command its members to sacrifice a great many freedoms enjoyed by civilians and to endure certain limits on the freedoms they do enjoy. The Supreme Court also held in Parker v. Levy, 417 US 733 (1974), that the different character of the military community and its mission required a different application of Constitutional protections. What is permissible in the civilian world may be impermissible in the military. We also note that individuals entering military service are aware that they will not have, and enjoy, the same rights as others. The proposed rule would have authorized covered entities to use and disclose protected health information about armed forces personnel only for activities considered necessary by appropriate military command authorities to assure the proper execution of the military mission. In order for the military mission to be achieved and maintained, military command authorities need protected health information to make determinations regarding individuals' medical fitness to perform assigned military duties. The proposed rule required the Department of Defense (DoD) to publish a notice in the Federal Register identifying its intended uses and disclosures of protected health information, and we have retained this approach in the final rule. This notice will serve to limit command authorities' access to protected health information to circumstances in which disclosure of protected health information is necessary to assure proper execution of the military mission. With respect to comments regarding the lack of procedural safeguards for individuals, including those who are victims of domestic violence and abuse, we note that the rule does not provide new authority for covered entities providing health care to individuals who are Armed Forces personnel to use and disclose protected health information. Rather, the rule allows the Armed Forces to use and disclose such information only for those military mission purposes which will be published separately in the Federal Register. In addition, we note that the Privacy Act of 1974, as implemented by the DoD, provides numerous protections to individuals. We modify the proposal to publish privacy rules for the military in the Federal Register. The NPRM would have required this notice to include information on the activities for which use or disclosure of protected health information would occur in order to assure proper execution of the military mission. We believe that this proposed portion of the notice is redundant and thus unnecessary in light the rule's application to military services. In the final rule, we eliminate this proposed section of the notice, and we state that health plans and covered health care providers may use and disclose protected health information of Armed Forces personnel for activities considered necessary by appropriate military command authorities to assure the proper execution of a military mission, where the appropriate military authority has published a Federal Register notice identifying: (1) The appropriate military command authorities; and (2) the purposes for [[Page 82705]] which protected health information may be used or disclosed. Comment: A few commenters, members of the affected beneficiary class, which numbers approximately 2.6 million (active duty and reserve military personnel), opposed proposed Sec. 164.510(m) because it would have allowed a non-governmental covered entity to provide protected health information without authorization to the military. These commenters were concerned that military officials could use the information as the basis for taking action against individuals. Response: The Secretary does not have the authority under HIPAA to regulate the military's re-use or re-disclosure of protected health information obtained from health plans and covered health care providers. This provision's primary intent is to ensure that proper military command authorities can obtain needed medical information held by covered entities so that they can make appropriate determinations regarding the individual's medical fitness or suitability for military service. Determination that an individual is not medically qualified for military service would lead to his or her discharge from or rejection for service in the military. Such actions are necessary in order for the Armed Forces to have medically qualified personnel, ready to perform assigned duties. Medically unqualified personnel not only jeopardize the possible success of a mission, but also pose an unacceptable risk or danger to others. We have allowed such uses and disclosures for military activities because it is in the Nation's interest. Separation or Discharge from Military Service Comment: The preamble to the NPRM solicited comments on the proposal to permit the DoD to transfer, without authorization, a service member's military medical record to the Department of Veterans Affairs (DVA) when the individual completed his or her term of military service. A few commenters opposed the proposal, believing that authorization should be obtained. Both the DoD and the DVA supported the proposal, noting that transfer allows the DVA to make timely determinations as to whether a veteran is eligible for benefits under programs administered by the DVA. Response: We note that the transfer program was established based on recommendations by Congress, veterans groups, and veterans; that it has existed for many years; and that there has been no objection to, or problems associated with, the program. We also note that the Department of Transportation (DoT) and the Department of Veterans Affairs operate an analogous transfer program with respect to United States Coast Guard personnel, who comprise part of the U.S. Armed Forces. The protected health information involved the DoD/DVA transfer program is being disclosed and used for a limited purpose that directly benefits the individual. This information is covered by, and thus subject to the protections of, the Privacy Act. For these reasons, the final rule retains the DoD/DVA transfer program proposed in the NPRM. In addition, we expand the NPRM's proposed provisions regarding the Department of Veterans Affairs to include the DoT/DVA program, to authorize the continued transfer of these records. Comment: The Department of Veterans Affairs supported the NPRM's proposal to allow it to use and disclose protected health information among components of the Department so that it could make determinations on whether an individual was entitled to benefits under laws administered by the Department. Some commenters said that the permissible disclosure pursuant to this section appeared to be sufficiently narrow in scope, to respond to an apparent need. Some commenters also said that the DVA's ability to make benefit determinations would be hampered if an individual declined to authorize release of his or her protected health information. A few commenters, however, questioned whether such an exchange of information currently occurs between the components. A few commenters also believed the proposed rule should be expanded to permit sharing of information with other agencies that administer benefit programs. Response: The final rule retains the NPRM's approach regarding use and disclosure of protected health information without authorization among components of the DVA for the purpose of making eligibility determinations based on commenters' assessment that the provision was narrow in scope and that an alternative approach could negatively affect benefit determinations for veterans. We modify the NPRM language slightly, to clarify that it refers to a health plan or covered health care provider that is a component of the DVA. These component entities may use or disclose protected health information without authorization among various components of the Department to determine eligibility for or entitlement to veterans' benefits. The final rule does not expand the scope of permissible disclosures under this provision to allow the DVA to share such information with other agencies. Other agencies may obtain this information only with authorization, subject to the requirements of Sec. 164.508. Foreign Military Personnel Comments: A few comments opposed the exclusion of foreign diplomatic and military personnel from coverage under the rule. These commenters said that the mechanisms that would be necessary to identify these personnel for the purpose of exempting them from the rule's standards would create significant administrative difficulties. In addition, they believed that this provision would have prohibited covered entities from making disclosures allowed under the rule. Some commenters were concerned that implementation of the proposed provision would result in disparate treatment of foreign military and diplomatic personnel with regard to other laws, and that it would allow exploitation of these individuals' health information. These commenters believed that the proposed rule's exclusion of foreign military and diplomatic personnel was unnecessarily broad and that it should be narrowed to meet a perceived need. Finally, they noted that the proposed exclusion could be affected by the European Union's Data Protection Directive. Response: We agree with the commenters' statement that the NPRM's exclusion of foreign military and diplomatic personnel from the rule's provisions was overly broad. Thus, the final rule's protections apply to these personnel. The rule covers foreign military personnel under the same provisions that apply to all other members of the U.S. Armed Forces, as described above. Foreign military authorities need access to protected health information for the same reason as must United States military authorities: to ensure that members of the armed services are medically qualified to perform their assigned duties. Under the final rule, foreign diplomatic personnel have the same protections as other individuals. Intelligence Community Comments: A few commenters opposed the NPRM's provisions regarding protected health information of intelligence community employees and their dependents being considered for postings overseas, on the grounds that the scope of permissible disclosure without authorization was too broad. While acknowledging that the intelligence community may have legitimate needs for its employees' protected health information, the commenters believed that the NPRM [[Page 82706]] failed to provide adequate procedural protections for the employees' information. A few comments also said that the intelligence community should be able to obtain their employees' health information only with authorization. In addition, commenters said that the intelligence community should make disclosure of protected health information a condition of employment. Response: Again, we agree that the NPRM's provision allowing disclosure of the protected health information of intelligence community employees without authorization was overly broad. Thus we eliminate it in the final rule. The intelligence community can obtain this information with authorization (pursuant to Sec. 164.508), for example, when employees or their family members are being considered for an oversees assignment and when individuals are applying for employment with or seeking a contract from an intelligence community agency. National Security and Intelligence Activities and Protective Services for the President and Others Comment: A number of comments opposed the proposed ``intelligence and national security activities'' provision of the law enforcement section (Sec. 164.510(f)(4)), suggesting that it was overly broad. These commenters were concerned that the provision lacked sufficient procedural safeguards to prevent abuse of protected health information. The Central Intelligence Agency (CIA) and the Department of Defense (DoD) also expressed concern over the provision's scope. The agencies said that if implemented as written, the provision would have failed to accomplish fully its intended purpose of allowing the disclosure of protected health information to officials carrying out intelligence and national security activities other than law enforcement activities. The CIA and DoD believed that the provision should be moved to another section of the rule, possibly to proposed Sec. 164.510(m) on specialized classes, so that authorized intelligence and national security officials could obtain individuals' protected health information without authorization when lawfully engaged in intelligence and national security activities. Response: In the final rule, we clarify that this provision does not provide new authority for intelligence and national security officials to acquire health information that they otherwise would not be able to obtain. Furthermore, the rule does not confer new authority for intelligence, national security, or Presidential protective service activities. Rather, the activities permissible under this section are limited to those authorized under current law and regulation (e.g., for intelligence activities, 50 U.S.C. 401, et seq., Executive Order 12333, and agency implementing regulatory authorities). For example, the provision regarding national security activities pertains only to foreign persons that are the subjects of legitimate and lawful intelligence, counterintelligence, or other national security activities. In addition, the provision regarding protective services pertains only to those persons who are the subjects of legitimate investigations for threatening or otherwise exhibiting an inappropriate direction of interest toward U.S. Secret Service protectees pursuant to 18 U.S.C. 871, 879, and 3056. Finally, the rule leaves intact the existing State Department regulations that strictly limit the disclosure of health information pertaining to employees (e.g., Privacy Issuances at State-24 Medical Records). We believe that because intelligence/national security activities and Presidential/other protective service activities are discrete functions serving different purposes, they should be treated consistently but separately under the rule. For example, medical information is used as a complement to other investigative data that are pertinent to conducting comprehensive threat assessment and risk prevention activities pursuant to 18 U.S.C. 3056. In addition, information on the health of world leaders is important for the provision of protective services and other functions. Thus, Sec. 164.512(k) of the final rule includes separate subsections for national security/intelligence activities and for disclosures related to protective services to the President and others. We note that the rule does not require or compel a health plan or covered health care provider to disclose protected health information. Rather, two subsections of Sec. 164.512(k) allow covered entities to disclose information for intelligence and national security activities and for protective services to the President and others only to authorized federal officials conducting these activities, when such officials are performing functions authorized by law. We agree with DoD and CIA that the NPRM, by including these provisions in the law enforcement section (proposed Sec. 164.510(f)), would have allowed covered entities to disclose protected health information for national security, intelligence, and Presidential protective activities only to law enforcement officials. We recognize that many officials authorized by law to carry out intelligence, national security, and Presidential protective functions are not law enforcement officials. Therefore, the final rule allows covered entities to disclose protected health information pursuant to this provision not only to law enforcement officials, but to all federal officials authorized by law to carry out the relevant activities. In addition, we remove this provision from the law enforcement section and include it in Sec. 164.512(k) on uses and disclosures for specialized government functions Medical Suitability Determinations Comment: A few comments opposed the NPRM's provision allowing the Department of State to use protected health information for medical clearance determinations. These commenters believed that the scope of permissible disclosures under the proposed provision was too broad. While acknowledging that the Department may have legitimate needs for access to protected health data, the commenters believed that implementation of the proposed provision would not have provided adequate procedural safeguards for the affected State Department employees. A few comments said that the State Department should be able to obtain protected health information for medical clearance determinations only with authorization. A few comments also said that the Department should be able to disclose such information only when required for national security purposes. Some commenters believed that the State Department should be subject to the Federal Register notice requirement that the NPRM would have applied to the Department of Defense. A few comments also opposed the proposed provision on the basis that it would conflict with the Rehabilitation Act of 1973 or that it appeared to represent an invitation to discriminate against individuals with mental disorders. Response: We agree with commenters who believed that the NPRM's provision regarding the State Department's use of protected health information without authorization was unnecessarily broad. Therefore, in the final rule, we restrict significantly the scope of protected health information that the State Department may use and disclose without authorization. First, we allow health plans and covered health care providers that are a component of the State Department to use and disclose protected health information without authorization when making medical suitability determinations for security clearance purposes. For the purposes of a security investigation, these [[Page 82707]] components may disclose to authorized State Department officials whether or not the individual was determined to be medically suitable. Furthermore, we note that the rule does not confer authority on the Department to disclose such information that it did not previously possess. The Department remains subject to applicable law regarding such disclosures, including the Rehabilitation Act of 1973. The preamble to the NPRM solicited comment on whether there was a need to add national security determinations under Executive Order 10450 to the rule's provision on State Department uses and disclosures of protected health information for security determinations. While we did not receive comment on this issue, we believe that a limited addition is warranted and appropriate. Executive Orders 10450 and 12968 direct Executive branch agencies to make certain determinations regarding whether their employees' access to classified information is consistent with the national security interests of the United States. Specifically, the Executive Orders state that access to classified information shall be granted only to those individuals whose personal and professional history affirmatively indicates, inter alia, strength of character, trustworthiness, reliability, and sound judgment. In reviewing the personal history of an individual, Executive branch agencies may investigate and consider any matter, including a mental health issue or other medical condition, that relates directly to any of the enumerated factors. In the vast majority of cases, Executive agencies require their security clearance investigators to obtain the individual's express consent in the form of a medical release, pursuant to which the agency can conduct its background investigation and obtain any necessary health information. This rule does not interfere with agencies' ability to require medical releases for purposes of security clearances under these Executive Orders. In the case of the Department of State, however, it may be impracticable or infeasible to obtain an employee's authorization when exigent circumstances arise overseas. For example, when a Foreign Service Officer is serving at an overseas post and he or she develops a critical medical problem which may or may not require a medical evacuation or other equally severe response, the Department's medical staff have access to the employee's medical records for the purpose of making a medical suitability determination under Executive Orders 10450 and 12968. To restrict the Department's access to information at such a crucial time due to a lack of employee authorization leaves the Department no option but to suspend the employee's security clearance. This action automatically would result in an immediate forced departure from post, which negatively would affect both the Department, due to the unexpected loss of personnel, and the individual, due to the fact that a forced departure can have a long-term impact on his or her career in the Foreign Service. For this reason, the rule contains a limited security clearance exemption for the Department of State. The exemption allows the Department's own medical staff to continue to have access to an employee's medical file for the purpose of making a medical suitability determination for security purposes. The medical staff can convey a simple ``yes'' or ``no'' response to those individuals conducting the security investigation within the Department. In this way, the Department is able to make security determinations in exigent circumstances without disclosing any specific medical information to any employees other than the medical personnel who otherwise have routine access to these same medical records in an everyday non- security context. Second, and similarly, the final rule establishes a similar system for disclosures of protected health information necessary to determine worldwide availability or availability for mandatory service abroad under sections 101(a)(4) and 504 of the Foreign Service Act. The Act requires that Foreign Service members be suitable for posting throughout the world and for certain specific assignments. For this reason, we permit a limited exemption to serve the purposes of the statute. Again, the medical staff can convey availability determinations to State Department officials who need to know if certain Foreign Service members are available to serve at post. Third, and finally, the final rule recognizes the special statutory obligations that the State Department has regarding family members of Foreign Service members under sections 101(b)(5) and 904 of the Foreign Service Act. Section 101(b)(5) of the Foreign Service Act requires the Department of State to mitigate the impact of hardships, disruptions, and other unusual conditions on families of Foreign Service Officers. Section 904 requires the Department to establish a health care program to promote and maintain the physical and mental health of Foreign Service member family members. The final rule permits disclosure of protected health information to officials who need protected health information to determine whether a family member can accompany a Foreign Service member abroad. Given the limited applicability of the rule, we believe it is not necessary for the State Department to publish a notice in the Federal Register to identify the purposes for which the information may be used or disclosed. The final rule identifies these purposes, as described above. Correctional Institutions Comments about the rule's application to correctional institutions are addressed in Sec. 164.501, under the definition of ``individual.'' Section 164.512(l)--Disclosures for Workers' Compensation Comment: Several commenters stated that workers' compensation carriers are excepted under the HIPAA definition of group health plan and therefore we have no authority to regulate them in this rule. These commenters suggested clarifying that the provisions of the proposed rule did not apply to certain types of insurance entities, such as workers' compensation carriers, and that such non-covered entities should have full access to protected health information without meeting the requirements of the rule. Other commenters argued that a complete exemption for workers' compensation carriers was inappropriate. Response: We agree with commenters that the proposed rule did not intend to regulate workers' compensation carriers. In the final rule we have incorporated a provision that clarifies that the term ``health plan'' excludes ``any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits as defined in section 2791(c)(1) of the PHS Act.'' See discussion above under the definition of ``health plan'' in Sec. 164.501. Comment: Some commenters argued that the privacy rule should defer to other laws that regulate the disclosure of information to employers and workers' compensation carriers. They commented that many states have laws that require sharing of information--without consent--between providers and employers or workers' compensation carriers. Response: We agree that the privacy rule should permit disclosures necessary for the administration of state and other workers' compensation systems. To assure that workers' compensations systems are not disrupted, we have added a new [[Page 82708]] provisions to the final rule. The new Sec. 164.512(l) permits covered entities to disclose protected health information as authorized by and to the extent necessary to comply with workers' compensation or other similar programs established by law that provide benefits for work- related injuries or illnesses without regard to fault. We also note that where a state or other law requires a use or disclosure of protected health information under a workers' compensation or similar scheme, the disclosure would be permitted under Sec. 164.512(a). Comment: Several commenters stated that if workers' compensation carriers are to receive protected health information, they should only receive the minimum necessary as required in Sec. 164.514. The commenters argued that employers and workers' compensation carriers should not have access to the entire medical history or portions of the medical history that have nothing to do with the injury in question. Further, the covered provider and not the employer or carrier should determine minimum necessary since the provider is a covered entity and only covered entities are subject to sanctions for violations of the rule. These commenters stated that the rule should clearly indicate the ability of covered entities to refuse to disclose protected health information if it went beyond the scope of the injury. Workers' compensation carriers, on the other hand, argued that permitting providers to determine the minimum necessary was inappropriate because determining eligibility for benefits is an insurance function, not a medical function. They stated that workers' compensation carriers need access to the full range of information regarding treatment for the injury underlying the claim, the claimants' current condition, and any preexisting conditions that can either mitigate the claim or aggravate the impact of the injury. Response: Under the final rule, covered entities must comply with the minimum necessary provisions unless the disclosure is required by law. Our review of state workers' compensation laws suggests that many of these laws address the issue of the scope of information that is available to carriers and employers. The rule permits a provider to disclose information that is authorized by such a law to the extent necessary to comply with such law. Where the law is silent, the workers' compensation carrier and covered health care provider will need to discuss what information is necessary for the carrier to administer the claim, and the health care provider may disclose that information. We note that if the workers' compensation insurer has secured an authorization from the individual for the release of protected health information, the covered entity may release the protected health information described in the authorization. Section 164.514 Requirements for Uses and Disclosures Section 164.514(a)-(c)--De-identification General Approach Comments: The comments on this topic almost unanimously supported the concept of de-identification and efforts to expand its use. Although a few comments suggested deleting one of the proposed methods or the other, most appeared to support the two method approach for entities with differing levels of statistical expertise. Many of the comments argued that the standard for creation of de- identified information should be whether there is a ``reasonable basis to believe'' that the information has been de-identified. Others suggested that the ``reasonable basis'' standard was too vague. A few commenters suggested that we consider information to be de- identified if all personal identifiers that directly reveal the identity of the individual or provide a direct means of identifying individuals have been removed, encrypted or replaced with a code. Essentially, this recommendation would require only removal of ``direct'' identifiers (e.g., name, address, and ID numbers) and allow retention of all ``indirect'' identifiers (e.g., zip code and birth date) in ``de-identified'' information. These comments did not suggest a list or further definition of what identifiers should be considered ``direct'' identifiers. Some commenters suggested that the standard be modified to reflect a single standard that applies to all covered entities in the interest of reducing uncertainty and complexity. According to these comments, the standard for covered entities to meet for de-identification of protected health information should be generally accepted standards in the scientific and statistical community, rather than focusing on a specified list of identifiers that must be removed. A few commenters believed that no record of information about an individual can be truly de-identified and that all such information should be treated and protected as identifiable because more and more information about individuals is being made available to the public, such as voter registration lists and motor vehicle and driver's license lists, that would enable someone to match (and identify) records that otherwise appear to be not identifiable. Response: In the final rule, we reformulate the method for de- identification to more explicitly use the statutory standard of ``a reasonable basis to believe that the information can be used to identify the individual''--just as information is ``individually identifiable'' if there is a reasonable basis to believe that it can be used to identify the individual, it is ``de-identified'' if there is no reasonable basis to believe it can be so used. We also define more precisely how the standard should be applied. We did not accept comments that suggested that we allow only one method of de-identifying information. We find support for both methods in the comments but find no compelling logic for how the competing interests could be met cost-effectively with only one method. We also disagree with the comments that advocated using a standard which required removing only the direct identifiers. Although such an approach may be more convenient for covered entities, we judged that the resulting information would often remain identifiable, and its dissemination could result in significant violations of privacy. While we encourage covered entities to remove direct identifiers whenever possible as a method of enhancing privacy, we do not believe that the resulting information is sufficiently blinded as to permit its general dissemination without the protections provided by this rule. We agree with the comments that said that records of information about individuals cannot be truly de-identified, if that means that the probability of attribution to an individual must be absolutely zero. However, the statutory standard does not allow us to take such a position, but envisions a reasonable balance between risk of identification and usefulness of the information. We disagree with those comments that advocated releasing only truly anonymous information (which has been changed sufficiently so that it no longer represents actual information about real individuals) and those that supported using only sophisticated statistical analysis before allowing uncontrolled disclosures. Although these approaches would provide a marginally higher level of privacy protection, they would preclude many of the laudable and valuable uses discussed in the NPRM (in Sec. 164.506(d)) and would impose too great a burden on [[Page 82709]] less sophisticated covered entities to be justified by the small decrease in an already small risk of identification. We conclude that compared to the alternatives advanced by the comments, the approach proposed in the NPRM, as refined and modified below in response to the comments, most closely meets the intent of the statute. Comments: A few comments complained that the proposed standards were so strict that they would expose covered entities to liability because arguably no information could ever be de-identified. Response: In the final rule we have modified the mechanisms by which a covered entity may demonstrate that it has complied with the standard in ways that provide greater certainty. In the standard method for de-identification, we have clarified the professional standard to be used, and anticipate issuing further guidance for covered entities to use in applying the standard. In the safe harbor method, we reduced the amount of judgment that a covered entity must apply. We believe that these mechanisms for de-identification are sufficiently well- defined to protect covered entities that follow them from undue liability. Comments: Several comments suggested that the rule prohibit any linking of de-identified data, regardless of the probability of identification. Response: Since our methods of de-identification include consideration of how the information might be used in combination with other information, we believe that linking de-identified information does not pose a significantly increased risk of privacy violations. In addition, since our authority extends only to the regulation of individually identifiable health information, we cannot regulate de- identified information because it no longer meets the definition of individually identifiable health information. We also have no authority to regulate entities that might receive and desire to link such information yet that are not covered entities; thus such a prohibition would have little protective effect. Comments: Several commenters suggested that we create incentives for covered entities to use de-identified information. One commenter suggested that we mandate an assessment to see if de-identified information could be used before the use or disclosure of identified information would be allowed. Response: We believe that this final rule establishes a reasonable mechanism for the creation of de-identified information and the fact that this de-identified information can be used without having to follow the policies, procedures, and documentation required to use individually identifiable health information should provide an incentive to encourage its use where appropriate. We disagree with the comment suggesting that we require an assessment of whether de- identified information could be used for each use or disclosure. We believe that such a requirement would be too burdensome on covered entities, particularly with respect to internal uses, where entire records are often used by medical and other personnel. For disclosures, we believe that such an assessment would add little to the protection provided by the minimum necessary requirements in this final rule. Comments: One commenter asked if de-identification was equivalent to destruction of the protected health information (as required under several of the provisions of this final rule). Response: The process of de-identification creates a new dataset in addition to the source dataset containing the protected health information. This process does not substitute for actual destruction of the source data. Modifications to the Proposed Standard for De-Identification Comments: Several commenters called for clarification of proposed language in the NPRM that would have permitted a covered entity to treat information as de-identified, even if specified identifiers were retained, as long as the probability of identifying subject individuals would be very low. Commenters expressed concern that the ``very low'' standard was vague. These comments expressed concern that covered entities would not have a clear and easy way to know when information meets this part of the standard. Response: We agree with the comments that covered entities may need additional guidance on the types of analyses that they should perform in determining when the probability of re-identification of information is very low. We note that in the final rule, we reformulate the standard somewhat to require that a person with appropriate knowledge and experience apply generally accepted statistical and scientific methods relevant to the task to make a determination that the risk of re-identification is very small. In this context, we do not view the difference between a very low probability and a very small risk to be substantive. After consulting representatives of the federal agencies that routinely de-identify and anonymize information for public release \16\ we attempt here to provide some guidance for the method of de- identification. --------------------------------------------------------------------------- \16\ Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget. --------------------------------------------------------------------------- As requested by some commenters, we include in the final rule a requirement that covered entities (not following the safe harbor approach) apply generally accepted statistical and scientific principles and methods for rendering information not individually identifiable when determining if information is de-identified. Although such guidance will change over time to keep up with technology and the current availability of public information from other sources, as a starting point the Secretary approves the use of the following as guidance to such generally accepted statistical and scientific principles and methods: (1) Statistical Policy Working Paper 22--Report on Statistical Disclosure Limitation Methodology (http://www.fcsm.gov/working-papers/ wp22.html) (prepared by the Subcommittee on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office of Management and Budget); and (2) The Checklist on Disclosure Potential of Proposed Data Releases (http://www.fcsm.gov/docs/checklist__799.doc) (prepared by the Confidentiality and Data Access Committee, Federal Committee on Statistical Methodology, Office of Management and Budget). We agree with commenters that such guidance will need to be updated over time and we will provide such guidance in the future. According to the Statistical Policy Working Paper 22, the two main sources of disclosure risk for de-identified records about individuals are the existence of records with very unique characteristics (e.g., unusual occupation or very high salary or age) and the existence of external sources of records with matching data elements which can be used to link with the de-identified information and identify individuals (e.g., voter registration records or driver's license records). The risk of disclosure increases as the number of variables common to both types of records increases, as the accuracy or resolution of the data increases, and as the number of external sources increases. As outlined in Statistical Policy Working Paper 22, an expert disclosure analysis would also consider the probability that an individual who is the target of an attempt at re-identification is represented on both [[Page 82710]] files, the probability that the matching variables are recorded identically on the two types of records, the probability that the target individual is unique in the population for the matching variables, and the degree of confidence that a match would correctly identify a unique person. Statistical Policy Working Paper 22 also describes many techniques that can be used to reduce the risk of disclosure that should be considered by an expert when de-identifying health information. In addition to removing all direct identifiers, these include the obvious choices based on the above causes of the risk; namely, reducing the number of variables on which a match might be made and limiting the distribution of the records through a ``data use agreement'' or ``restricted access agreement'' in which the recipient agrees to limits on who can use/receive the data. The techniques also include more sophisticated manipulations: recoding variables into fewer categories to provide less precise detail (including rounding of continuous variables); setting top-codes and bottom-codes to limit details for extreme values; disturbing the data by adding noise by swapping certain variables between records, replacing some variables in random records with mathematically imputed values or averages across small random groups of records, or randomly deleting or duplicating a small sample of records; and replacing actual records with synthetic records that preserve certain statistical properties of the original data. Modifications to the ``Safe Harbor'' Comments: Many commenters argued that stripping all 19 identifiers is unnecessary for purposes of de-identification. They felt that such items as zip code, city (or county), and birth date, for example, do not identify the individual and only such identifiers as name, street address, phone numbers, fax numbers, email, Social Security number, driver's license number, voter registration number, motor vehicle registration, identifiable photographs, finger prints, voice prints, web universal resource locator, and Internet protocol address number need to be removed to reasonably believe that data has been de- identified. Other commenters felt that removing the full list of identifiers would significantly reduce the usefulness of the data. Many of these comments focused on research and, to a lesser extent, marketing and undefined ``statistical analysis.'' Commenters who represented various industries and research institutions expressed concern that they would not be able to continue current activities such as development of service provider networks, conducting ``analysis'' on behalf of the plan, studying use of medication and medical devices, community studies, marketing and strategic planning, childhood immunization initiatives, patient satisfaction surveys, and solicitation of contributions. The requirements in the NPRM to strip off zip code and date of birth were of particular concern. These commenters stated that their ability to do research and quality analysis with this data would be compromised without access to some level of information about patient age and/or geographic location. Response: While we understand that removing the specified identifiers may reduce the usefulness of the resulting data to third parties, we remain convinced by the evidence found in the MIT study that we referred to in the preamble to the proposed rule \17\ and the analyses discussed below that there remains a significant risk of identification of the subjects of health information from the inclusion of indirect identifiers such as birth date and zip code and that in many cases there will be a reasonable basis to believe that such information remains identifiable. We note that a covered entity not relying on the safe harbor may determine that information from which sufficient other identifiers have been removed but which retains birth date or zip code is not reasonably identifiable. As discussed above, such a determination must be made by a person with appropriate knowledge and expertise applying generally accepted statistical and scientific methods for rendering information not identifiable. --------------------------------------------------------------------------- \17\ Sweeney, L. Guaranteeing Anonymity when Sharing Medical Data, the Datafly System. Masys, D., Ed. Proceedings, American Medical Informatics Association, Nashville, TN: Hanley & Belfus, Inc., 1997:51-55. --------------------------------------------------------------------------- Although we have determined that all of the specified identifiers must be removed before a covered entity meets the safe harbor requirements, we made modifications in the final rule to the specified identifiers on the list to permit some information about age and geographic area to be retained in de-identified information. For age, we specify that, in most cases, year of birth may be retained, which can be combined with the age of the subject to provide sufficient information about age for most uses. After considering current and evolving practices and consulting with federal experts on this topic, including members of the Confidentiality and Data Access Committee of the Federal Committee on Statistical Methodology, Office of Management and Budget, we concluded that in general, age is sufficiently broad to be allowed in de-identified information, although all dates that might be directly related to the subject of the information must be removed or aggregated to the level of year to prevent deduction of birth dates. Extreme ages--90 and over--must be aggregated further (to a category of 90+, for example) to avoid identification of very old individuals (because they are relatively rare). This reflects the minimum requirement of the current recommendations of the Bureau of the Census.\18\ For research or other studies relating to young children or infants, we note that the rule would not prohibit age of an individual from being expressed as an age in months, days, or hours. --------------------------------------------------------------------------- \18\ The U.S. Census Bureau's Recommendations Concerning the Census 2000 Public Use Microdata Sample (PUMS) Files [http:// www.ipums.org/~census2000/2000pums__bureau.pdf], Population Division, U.S. Census Bureau, November 3, 2000. --------------------------------------------------------------------------- For geographic area, we specify that the initial three digits of zip codes may be retained for any three-digit zip code that contains more than 20,000 people as determined by the Bureau of the Census. As discussed more below, there are currently only 18 three-digit zip codes containing fewer than 20,000 people. We note that this number may change when information from the 2000 Decennial Census is analyzed. In response to concerns expressed in the comments about the need for information on geographic area, we investigated the potential of allowing 5-digit zip codes or 3-digit zip codes to remain in the de- identified information. According to 1990 Census data, the populations in geographical areas delineated by 3-digit zip codes vary a great deal, from a low of 394 to a high of 3,006,997, with an average size of 282,304. There are two 3-digit zip codes containing fewer than 500 people and six 3-digit zip codes containing fewer than 10,000 people each.\19\ Of the total of 881 3-digit zip codes, there are 18 with fewer than 20,000 people, 71 with fewer than 50,000 people, and 215 containing fewer than 100,000 population. We also looked at two-digit zip codes (the first 2 digits of the 5-digit zip code) and found that the smallest of the 98 2-digit zip codes contains 188,638 people. --------------------------------------------------------------------------- \19\ Figures derived from US Census data on 1990 Decennial Census of Population and Housing, Summary Tape File 3B (STF3B). These data are available to the public (for a fee) at http:// www.census.gov/mp/www/rom/msrom6af.html. --------------------------------------------------------------------------- We also investigated the practices of several other federal agencies which are mandated by Congress to release data [[Continued on page 82711]]